US8875289B2 - System and method for preventing malware on a mobile communication device - Google Patents

System and method for preventing malware on a mobile communication device Download PDF

Info

Publication number
US8875289B2
US8875289B2 US13/689,588 US201213689588A US8875289B2 US 8875289 B2 US8875289 B2 US 8875289B2 US 201213689588 A US201213689588 A US 201213689588A US 8875289 B2 US8875289 B2 US 8875289B2
Authority
US
United States
Prior art keywords
mobile communication
data
communication device
data object
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
US13/689,588
Other versions
US20130086682A1 (en
Inventor
Kevin Patrick Mahaffey
James David Burgess
David Golombek
Timothy Micheal Wyatt
Anthony McKay Lineberry
Kyle Barton
Daniel Lee Evans
David Luke Richardson
Ariel Salomon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LookOut Inc
Original Assignee
LookOut Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US12/255,621 external-priority patent/US8108933B2/en
Priority to US13/689,588 priority Critical patent/US8875289B2/en
Application filed by LookOut Inc filed Critical LookOut Inc
Assigned to Lookout, Inc. reassignment Lookout, Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BARTON, KYLE, BURGESS, JAMES DAVID, EVANS, DANIEL LEE, GOLOMBEK, DAVID, LINEBERRY, ANTHONY MCKAY, MAHAFFEY, KEVIN PATRICK, RICHARDSON, DAVID LUKE, SALOMON, ARIEL, WYATT, TIMOTHY MICHEAL
Publication of US20130086682A1 publication Critical patent/US20130086682A1/en
Priority to US14/318,450 priority patent/US9294500B2/en
Application granted granted Critical
Publication of US8875289B2 publication Critical patent/US8875289B2/en
Priority to US14/973,636 priority patent/US9781148B2/en
Priority to US15/393,089 priority patent/US9779253B2/en
Priority to US15/498,325 priority patent/US9860263B2/en
Priority to US15/687,395 priority patent/US9996697B2/en
Priority to US16/000,712 priority patent/US10417432B2/en
Priority to US16/443,697 priority patent/US10509911B2/en
Priority to US16/443,682 priority patent/US10509910B2/en
Priority to US16/670,227 priority patent/US11080407B2/en
Assigned to SILICON VALLEY BANK reassignment SILICON VALLEY BANK SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Lookout, Inc.
Priority to US17/374,280 priority patent/US11886232B2/en
Assigned to Lookout, Inc. reassignment Lookout, Inc. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: SILICON VALLEY BANK (THE "BANK")
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • This disclosure relates generally to mobile security, and specifically, to detecting and preventing data from adversely affecting a mobile communication device or group of mobile communication devices.
  • Today's mobile communication devices such as cellular telephones, smartphones, wireless-enabled personal data assistants, tablet PCs, netbooks, and the like, are becoming more common as platforms for various software applications.
  • a mobile communication device user now has more freedom to choose and install different software applications, thereby customizing the mobile communication device experience.
  • the ability to interact, install, and operate third party software inevitably leaves the mobile communication device susceptible to vulnerabilities, malware, and other harmful software applications.
  • mobile communication devices lack the processing power or resources for effectively running analogous software.
  • Third party applications have been developed that provide rudimentary scanning functions on a mobile communication device; however, these applications are often device, operating system, or application-specific. As such, a single universal platform-agnostic system for efficiently monitoring, scanning, remedying, and protecting mobile communication devices does not exist. It would be desirable to provide such a system that works on any mobile communication device, that is hardware and software agnostic, and that can be continuously updated to provide constant real-time protection. Moreover, it would be desirable to provide an adaptable system that can act and react to the demands and changes affecting a number of mobile communication devices, thereby providing intelligent malware protection.
  • FIG. 1 is an exemplary block diagram depicting an embodiment of the disclosure.
  • FIG. 2 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 3 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 4 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 5 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 6 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 7 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 8 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 9 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 10 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 11 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • FIG. 12 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
  • This disclosure is directed to a system and methods for using a server to provide protection from and removal of undesired applications or other data objects that may affect a mobile communication device or plurality of mobile communication devices, regardless of the make or model of the mobile communication device(s), the mobile communication network, or the software applications present on the mobile communication device(s).
  • a server to provide protection from and removal of undesired applications or other data objects that may affect a mobile communication device or plurality of mobile communication devices, regardless of the make or model of the mobile communication device(s), the mobile communication network, or the software applications present on the mobile communication device(s).
  • all of the services associated with the identification, analysis, and removal of potentially undesired applications or other data objects, as well as mobile communication device protection are described under the non-limiting term, “security.”
  • an embodiment of this disclosure is directed to providing security to a plurality of mobile communication devices, such as a plurality of mobile communication devices for a group of employees, or a plurality of mobile communication devices that access a particular network.
  • An embodiment of this disclosure is directed to safely and securely gathering information about applications on mobile communication devices without taxing individual mobile communication devices or the mobile network and utilizing the information about applications to secure mobile communication devices.
  • An embodiment of this disclosure is directed to using information gathered from mobile communication devices to generate user or device information that can be used to develop future products or services for mobile communication devices.
  • an embodiment of this disclosure can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, a computer readable medium such as a computer readable storage medium containing computer readable instructions or computer program code, or as a computer program product comprising a computer usable medium having a computer readable program code embodied therein.
  • a computer readable medium such as a computer readable storage medium containing computer readable instructions or computer program code
  • a computer program product comprising a computer usable medium having a computer readable program code embodied therein.
  • the mobile communication device described herein may include any computer or computing device running an operating system for use on handheld or mobile devices, such as smartphones, PDAs, tablets, mobile phones and the like.
  • a mobile communication device may include devices such as the Apple iPhone®, the Apple iPad®, the Palm PreTM, or any device running the Apple iOSTM, AndroidTM OS, Google Chrome OS, Symbian OS®, Windows Mobile® OS, Palm OS® or Palm Web OSTM.
  • the mobile communication device may also be referred to as a mobile device, a mobile client, or simply, as a device or as a client.
  • a computer usable medium or computer readable medium may be any medium that can contain or store the program for use by or in connection with the instruction execution system, apparatus or device.
  • the computer readable storage medium or computer usable medium may be, but is not limited to, a random access memory (RAM), read-only memory (ROM), or a persistent store, such as a mass storage device, hard drives, CDROM, DVDROM, tape, erasable programmable read-only memory (EPROM or flash memory), or any magnetic, electromagnetic, infrared, optical, or electrical system, apparatus or device for storing information.
  • the computer readable storage medium or computer usable medium may be any combination of these devices or even paper or another suitable medium upon which the program code is printed, as the program code can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
  • Applications software programs or computer readable instructions may be referred to as components or modules or data objects or data items.
  • Applications may be hardwired or hard coded in hardware or take the form of software executing on a general purpose computer such that when the software is loaded into and/or executed by the computer, the computer becomes an apparatus for practicing the disclosure.
  • Applications may also be downloaded in whole or in part through the use of a software development kit or toolkit that enables the creation and implementation of an embodiment of the disclosure.
  • these implementations, or any other form that an embodiment of the disclosure may take may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the disclosure.
  • security services may be provided to one or more mobile communication devices by a server or group of servers that operate together.
  • servers may operate together to provide security services without departing from the scope of this disclosure.
  • An embodiment of this system is shown in FIG. 1 , in which one or more servers 151 communicate with one or more mobile communication devices 101 over a cellular, wireless Internet or other network 121 .
  • mobile communication device 101 may also be referred to as a “mobile client device,” “client device,” “device,” or “client,” and may be referred to in the singular or plural form.
  • the one or more servers 151 may have access to a data storage 111 that stores security information for the one or more mobile communication devices 101 .
  • Data, assessment information, information about the mobile communication devices 101 , or other objects for storage may be stored on servers 151 and/or data storage 111 .
  • Servers 151 or data storage 111 may be singular or plural, or may be physical or virtualized.
  • Data storage 111 may be a database, data table, data structure, file system or other memory store.
  • Data storage 111 may be hosted on any of the one or more servers 151 , or may exist externally from the one or more servers 151 , so long as the one or more servers 151 have access to data storage 111 .
  • data storage 111 is an external service provided by a third-party, such as the Simple Storage Service (S3) or other products provided by Amazon Web Services, LLC.
  • S3 Simple Storage Service
  • server 151 operates as an HTTP server and the device 101 operates as an HTTP client.
  • mobile communication device 101 and server 151 may use Transaction Layer Security (“TLS”).
  • TLS Transaction Layer Security
  • device 101 may send one or more identifiers or authentication credentials to server 151 .
  • authentication credentials may include a user name and password, device specific credentials, or any other data that identifies mobile communication device 101 to server 151 .
  • Authentication may allow server 151 to store information specific to mobile communication device 101 or an account associated with mobile communication device 101 , to provide customized services to device 101 , and to maintain a persistent view of the security status of mobile communication device 101 .
  • mobile communication device 101 will transmit certain data to server 151 .
  • server 151 will analyze this data and provide a security related assessment, response and/or other action. The following describes the type(s) of data transmitted from mobile communication device 101 to server 151 , the analysis performed by server 151 , and the action taken with or by mobile communication device 101 .
  • an embodiment of this disclosure may exist independently on mobile communications device 101 , or may be incorporated into an existing security system resident in the mobile communications device such as the one described in U.S. patent application Ser. No. 12/255,614, entitled “SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS,” filed on Oct. 21, 2008, and incorporated in full herein.
  • U.S. patent application Ser. No. 12/255,614 entitled “SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS,” filed on Oct. 21, 2008, and incorporated in full herein.
  • a cross-platform system such as the one disclosed in U.S. patent application Ser. No.
  • This data includes network data, files, executable and non-executable applications, emails, and other types of objects that can be transmitted to, received by, or installed on a mobile communications device.
  • Mobile communication devices also typically transmit and receive data through one or more network interfaces, including Bluetooth, WiFi, infrared, radio receivers, and the like.
  • data may be encapsulated in a layered communications protocol or set of protocols, such as TCP/IP, HTTP, Bluetooth, etc.
  • Current server-client security models such as those currently available for desktop and laptop computers, cannot extend their capabilities to provide adequate assessment and security to a plurality of mobile communication devices.
  • the first type of data includes data about a mobile communication device, i.e., “device data.”
  • Device data pertains to the state, capabilities, operating system, firmware version, memory capacity, available communication ports, battery limitations, hardware characteristics and other “baseline” information that may be common to all similar devices absent user customization.
  • Device data may include the default specifications for a device as it is received from a manufacturer, service provider, or IT service.
  • Device data may include state information common to all similar mobile communications after they have all been upgraded in some fashion.
  • device data may be used to evaluate whether vulnerabilities exist due to unguarded communication ports, operating system exploits, device-specific attacks, and the like.
  • a second type of data that can be used to evaluate mobile communication devices is data that pertains to a particular application, file, or object that may be installed or run on a mobile communication device.
  • this data is referred to as “application data.”
  • Application data includes both data objects and information about data objects, such as behavioral data or metadata.
  • Data objects include application packages that may be particular to certain mobile communication devices. For example, iPhone OS devices typically use IPA files or APP packages, Android OS devices typically use APK files, Windows Mobile devices typically use CAB, EXE or DLL files, and Symbian OS devices typically use SIS files.
  • Devices may also support cross-platform application formats such as the SWF format underlying Adobe's Flash runtime or JAR files that can be run on Java virtual machines.
  • Application data includes data objects that are malware or spyware, and thereby can negatively affect a mobile communication device.
  • Malware and spyware include applications, files, and other data objects that are purposefully designed to adversely affect or steal information from a mobile communication device.
  • Application data also includes data objects that are not designed for nefarious reasons, but may have coding flaws or other issues that can negatively affect a device.
  • Application data also includes data objects that may be undesirable for various reasons. For example, a data object may be undesirable because it compromises privacy, overtaxes a device's battery or network connection, and/or has objectionable content.
  • data objects may also be referred to as “data items.” Use of either term is not intended to limit the data to any one form.
  • Application data includes metadata about data objects.
  • metadata is information about a specific data object, rather than the data object itself.
  • Metadata includes the location on a mobile communication device's filesystem where a data object is stored, a hash of the data object, the name of the data object, a unique identifier present in or associated with the data object such as a GUID or UUID, security information related to the data object such as its cryptographic signer information or level of permissions granted, and characteristics of how the data object is installed on or integrates with the mobile communication device's operating system.
  • Metadata for a data object may also include from where the data object came (e.g., a URL from where it was downloaded, an application marketplace from which it was downloaded, a memory card from where it was installed or stored.
  • Metadata may also be retrieved from an application marketplace.
  • Such metadata called marketplace metadata, includes information about a data object such as the number of downloads, user comments about the data object, the description of the data object, permissions requested by the data object, hardware or software requirements for the data object, information about the data object's author, the price of the data object, the language or languages supported by the data object, and other information that a marketplace may provide.
  • application data also includes behavioral data.
  • Behavioral data includes information about how an application interacts with or uses a mobile communication device's resources, such as memory usage, battery usage, network usage, storage usage, CPU usages, API usage, errors and crashes, network services connected to (e.g., remote host address and port), and runtime library linkage.
  • Behavioral data also includes information about how an application, file or data object, when it is run, utilizes the functionalities of the mobile communication device's operating system, such as notifications and messaging between processes or installed applications.
  • both device data and application data are useful for providing an assessment of the security of a device based upon the data stored (e.g., installed applications) or passing through the device.
  • data stored e.g., installed applications
  • device data and application data are merely examples of the types of data that may used in order to safeguard a mobile communication device or provide other functions related to a mobile communication device.
  • Other types of data may also be evaluated by the disclosed system without departing from the scope of this disclosure.
  • the term assessment refers to information relating to a data object that may be used to evaluate or otherwise further understand a data object's operation or effect of operation.
  • an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe, or that an application may appear on a blacklist or whitelist.
  • An assessment may include categorization or characterization data for a data object, ratings such as security ratings, privacy ratings, performance ratings, quality ratings, and battery impact ratings for a data object, trust ratings for a data object, distribution data for a data object. Assessments may result from collecting and/or processing data by server 151 and may be exposed by server 151 to users or other systems via an API, user interfaces, data feeds, or other methods.
  • any data transmitted or received during these communications may be stored on server 151 or on data storage 111 .
  • data stored on data storage 111 or server 151 is associated with a particular account or device known to the system. The association between data and a device or account may allow server 151 to provide tailored functionality for the account or device based on previously received data.
  • some or all of the data is stored on server 151 or data storage 111 with an anonymous association to a particular account or device.
  • server 151 will request information from mobile communication devices 101 , which will respond with the requested information.
  • a mobile communication device 101 will transmit device data and/or application data to server 151 for analysis and assessment. For example, a user of mobile communication device 101 may wish to download a file to his device, but prior to installing the file, may wish to send the file or identifying data associated with the file to the server 151 in order to check if the file is malicious or otherwise undesirable.
  • Server 151 will then analyze this received information in order to provide a security assessment that is available to any of the mobile communication devices 101 .
  • server 151 stores assessments of data objects after analysis and can provide access to these assessments in a number of ways. The analysis performed by server 151 will be discussed further below. The process by which server 151 provides access to assessment information will be also be discussed further below.
  • various methods may be used to reduce the amount of data requested by and transmitted to server 151 .
  • hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151 .
  • the server 151 may use the hash to uniquely identify the data object. If the server has previously performed an assessment of the data object identified by the hash, the server 151 may return that previous assessment if it is still valid. If the server 151 has not yet performed an assessment for the data object, the server 151 may return a response indicating that the assessment is unknown and/or request additional data from the mobile communication device 101 .
  • a hashing algorithm will transform an arbitrary amount of data into a fixed length identifier.
  • the SHA-1 hashing algorithm can digest an arbitrary amount of input data into a 160-bit hash.
  • metadata besides a hash of the data object may be sent in lieu of a data object itself, e.g., metadata for an application may be sent for an assessment rather than the whole application.
  • Metadata such as a package name, application name, file name, file size, permissions requested, cryptographic signer, download source, a unique identifier such as a UUID, and other information may be sufficient as identifying information for a data object; thus, if server 151 receives appropriate identifying information, it can determine if the data object is undesirable.
  • server 151 receives appropriate identifying information, it can determine if the data object is undesirable.
  • server 151 there are a variety of methods by which a data object can be identified in such a way that can allow server 151 to determine if a data object installed on device 101 is malicious without having to transmit the entire data object to server 151 .
  • server 151 may request portions of a data object, rather than a complete data object. A whole data object may be transmitted incrementally such that network 121 is not burdened by network traffic.
  • server 151 may request information about a particular application, but may query a group of mobile communication devices that each has this application. In this manner, server 151 may receive a portion, or “chunk” of data from one mobile communication device, and another portion of data from a second mobile communication device, and so forth, as necessary. Server 151 may then aggregate this information as it is being received, thereby pooling from a number of mobile communication device having the application/file data without taxing any specific mobile communication device. An example of this method is discussed further below.
  • FIG. 2 is a general overview of the transmission of different types of data between a mobile communication device 101 and server 151 .
  • mobile communication device 101 sends application data to server 151 , which receives this data (block 203 ).
  • mobile communication device sends identifying or authentication information to server 151 so that server 151 can reference previously stored identifying or authentication information about mobile communication device 101 , store and retrieve data associated with the mobile communication device 101 , and specifically identify or authenticate mobile communication device 101 amongst other mobile communication devices.
  • server 151 sends a notification to mobile communication device 101 (block 205 ).
  • This notification can be an alert, a message, an instruction or other information related to application data or device data specific to mobile communication device 101 .
  • the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable.
  • mobile communication device 101 receives the notification, and in block 209 , the mobile communication device 101 takes action based upon the notification. As will be discussed in more detail below, such actions may include deactivating one or more features or applications on the mobile communication device 101 .
  • server 151 can include communication from the mobile communication device to the server, as well as from the server to the mobile communication device.
  • server 151 may receive application data from mobile communication device 101 , but server 151 may require additional information before providing an assessment or transmitting a notification.
  • server 151 may request the additional information from mobile communication device 101 .
  • Mobile communication device receives the request (block 213 ), gathers additional information as requested by server 151 (block 215 ), then in block 217 , transmits the additional information to server 151 .
  • server 151 receives the requested additional information.
  • this process may repeat as necessary.
  • FIGS. 3-7 illustrate the transmission and collection of application data and device data in more detail.
  • FIG. 3 illustrates an embodiment in which server 151 evaluates a change in a data object stored on mobile communication device 101 .
  • mobile communication device 101 detects a change in a specific data object (block 301 ).
  • detecting changes in a data object may involve mechanisms such as intercepting system calls or file system operations, a file system or other data object change listener, receiving an event from a package management system (e.g., PACKAGE_UPDATED and/or PACKAGE_REPLACED intents in the AndroidTM operating system), and polling for data objects in a file system or other system capable of enumerating data objects.
  • a package management system e.g., PACKAGE_UPDATED and/or PACKAGE_REPLACED intents in the AndroidTM operating system
  • detecting changes may also be used. Alternatively or additionally, the following methods may occur when a change to a data object is detected, upon request by the user of the mobile communication device, or upon a pre-configured schedule for analyzing and assessing data objects on the mobile communication device.
  • a change in a data object includes any time a data object is added, removed, or modified.
  • mobile communication device 101 waits for confirmation from the server before recording that it has successfully transmitted application data for the data object.
  • server 151 After receiving application data for a data object from a mobile communication device 101 , server 151 transmits a confirmation. If there was an error in transmission or with the data itself, server 151 returns an error. If mobile communication device 101 receives an error from server 151 , or no response after transmitting application data for a data object, mobile communication device 101 will not record the application data for the data object as having been sent, and the mobile communication device 101 may retry sending the data at some point in the future.
  • a mobile communication device 101 recording whether or not server 151 has successfully received application data for a data object is important to the functioning of a reliable data collection system.
  • any time application data for a data object has not been transmitted from mobile communication device 101 and received by server 151 , it is considered to be changed and needs to be transmitted.
  • mobile communication device 101 stores whether it has transmitted and server 151 has successfully received application data for one or more data objects present on the device.
  • mobile communication device 101 may store a database containing identification information for data objects that have been successfully reported to server 151 to determine whether the device needs to transmit application data for those data objects. For example, a data object that is a file on a filesystem may be identified by a hash of its contents. When the data object is first installed on a mobile communication device 101 , the database may contain no data for the data object.
  • the mobile communication device 101 Because there is no identifying information for the data object, the mobile communication device 101 recognizes the data object as new and transmits application data for the data object to server 151 indicating that the object is new. After transmitting application data for the data object to server 151 and receiving confirmation that the server successfully received the application data, the device stores the hash of the file contents and the location on the filesystem where the file resides in the database. If the data object were to be deleted, the mobile communication device 101 can detect that there is no file at the previously stored filesystem location and can report the deletion of the data object to server 151 by reporting the filesystem location and/or hash identification information for the data object.
  • the mobile communication device can detect that there is a file in the previously stored location on the filesystem, but the content hash of the file does not match the stored content hash. In this case, the mobile communication device 101 can report to the server that the data object identified by the file location and/or previous content hash has been updated and report the new content hash of the file.
  • a security system installed on mobile communication device 101 may report application data for a data object to server 151 for purposes of receiving an assessment of the data object. If a mobile communication device downloads a new application that is malicious, it is important that the security system detect this new item as soon as possible. Server 151 can analyze the new application and provide a security assessment whereby actions can be taken based on the results. In another example, a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognize this update as different from the first version of the application so that it will produce a new assessment of the second version and not just report the first assessment. Server 151 can analyze the updated application and provide a security assessment whereby actions can be taken based on the results.
  • mobile communication device 101 transmits identification information for the mobile communication device to server 151 .
  • the identification information is authentication information.
  • the identification information is a non-authoritative identifier for the device such as a device ID that is not considered to be secret.
  • identification information includes device information for the mobile communication device (e.g., make, model, hardware characteristics).
  • mobile communication device 101 transmits information for the changed data object. Such information may include identifying information for the data object, such as metadata (e.g., hash, package name, file name, file path, cryptographic signer, unique identifier such as a UUID) and the like.
  • metadata e.g., hash, package name, file name, file path, cryptographic signer, unique identifier such as a UUID
  • server 151 receives the identifier for mobile communication device 101 and information for the changed data object.
  • the received data is stored by server 151 on the server or on data storage 111 (block 307 ). In an embodiment, only some of the data received by server 151 is stored.
  • server 151 provides an assessment for the changed data object using any of the techniques disclosed herein or from U.S. patent application Ser. No. 12/255,621, which is incorporated in full herein. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown.
  • some or all of the received data is stored on server 151 or data storage 111 and is associated with the device that transmitted the data.
  • server 151 may later allow server 151 to determine which applications a device has encountered.
  • some or all of the received data is stored on server 151 or data storage 111 in a way that server cannot directly tie the information to a particular device.
  • server 151 may store received data without any link to a particular device or account.
  • data may be anonymously associated with a device by the server associating the data with an identifier when stored. To ensure that server 151 cannot associate the stored data with a particular device, the identifier is only known to the device transmitting the data and is provided to the server whenever the device transmits data. The server does not store this identifier so that the identifier is never directly linked with a particular device or account on server 151 or data store 111 .
  • server 151 stores the results of the assessment on the server or on data storage 111 . If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path. In block 311 , the assessment is transmitted to mobile communication device 101 , which receives this assessment from server 151 (block 313 ), then processes the assessment or takes appropriate action (block 315 ).
  • FIG. 4 illustrates such an embodiment.
  • mobile communication device 101 detects a change in a specific data object.
  • mobile communication device 101 sends identification information for the device and information about the changed data object to server 151 .
  • Server 151 receives the identification information for mobile communication device 101 and information about the changed data object (block 405 ).
  • server 151 stores the changed data information on the server or on data storage 111 .
  • server 151 may analyze and assess the changed data object, and may report the assessment to mobile communication device 101 (block 411 ). As discussed previously, if an assessment has already been performed for the data object, that previously performed assessment may be retrieved and used instead of re-performing the assessment. If server 151 reports an assessment, mobile communication device 101 receives the assessment or other notification in block 413 , and processes the assessment (block 415 ).
  • the assessment for the data object may change. For example, a data object that may previously have been assessed as safe or unknown may later be identified as malicious, causing some previously unknown vulnerability, or causing an undesirable behavior such as network overuse or battery drainage.
  • server 151 may transmit a notification, remediation instructions or the like to mobile communication device 101 .
  • Mobile communication device 101 receives the notification from server 151 (block 421 ), then performs the recommended actions or remediation instructions (block 423 ).
  • mobile communication device 101 transmits a confirmation that it performed the required actions, which server 151 receives (block 427 ).
  • the notification is only sent to mobile communication device 151 if the data object is determined to be present on mobile communication device.
  • the server 151 stores information on the server 151 or on data storage 111 allowing the server 151 to determine whether the mobile communication device 101 currently has the data object or has previously requested an assessment for the data object.
  • FIG. 4 provides only one example of how server 151 may report changes in assessment to a mobile communication device, and some steps may be skipped without departing from this disclosure.
  • mobile communication device may perform remediation instructions or other required actions without sending confirmation to server 151 .
  • server 151 may request additional information about a particular data object from mobile communication device 101 .
  • mobile communication device 101 may send information about a changed data object to server 151 ; however, the information sent may be insufficient for server 151 to perform a conclusive analysis.
  • FIG. 5 illustrates this embodiment.
  • mobile communication device 101 detects that a data object has changed, and transmits identification information for mobile communication device 101 with information for the changed data object to server 151 (block 503 ).
  • Server 151 receives the identification information for mobile communication device 101 and information for the changed data object (block 505 ), and stores the information for the changed data object on the server or on data storage 111 (block 507 ).
  • server 151 determines whether it requires additional information about the changed data object. For example, server 151 may attempt to assess whether the changed data object is safe or malicious, but is unable to provide a conclusive assessment (i.e., the assessment results in “unknown”). The determination of whether more information is needed can be performed either before the server 151 performs an assessment if there is not enough data to even begin an assessment or after an assessment returns inconclusively due wholly or in part to a lack of data. If additional information is required, then server 151 may request the additional information from mobile communication device 101 (block 511 ).
  • mobile communication device 101 receives the request for additional information, gathers the requested information (block 515 ), then transmits the additional information to server 151 (block 517 ).
  • additional information includes behavioral data for a data object and application data for the data object, such as the content for the data object.
  • server 151 receives the additional information from mobile communication device 101 , and stores the additional information (block 521 ). Server 151 may then analyze the changed data object information with the additional information to provide an assessment (block 523 ), which may be sent to the mobile communication device 101 (block 525 ).
  • mobile communication device 101 receives the assessment of the changed data object from server 151 then processes the assessment (block 529 ).
  • mobile communication device 101 may elect to transmit additional information to server 151 .
  • server 151 may analyze a data object, but not provide a conclusive assessment. Rather than requesting additional information from mobile communication device 101 , the device may request an additional assessment by providing additional information for the data object to server 151 .
  • FIG. 6 illustrates this embodiment.
  • mobile communication device 101 detects a change in a data object, then in block 603 , mobile communication device 101 sends its identification information and information for the changed data object to server 151 .
  • server 151 receives the identification information for mobile communication device 101 and the information for the changed data object. This information is stored by server 151 on the server or on data storage 111 (block 607 ), then analyzed by server 151 to result in an assessment (block 609 ).
  • server 151 transmits the assessment or an appropriate notification to mobile communication device 101 .
  • Mobile communication device 101 receives the assessment from server 151 (block 613 of FIG. 6 ).
  • mobile communication device 101 determines whether to send additional information about the data object.
  • server 151 may be unable to produce an assessment for the data object given the data it has available, and thus needs more information to be able to produce an assessment.
  • mobile communication device 101 determines that it should send additional information about the data object, then this information is gathered.
  • mobile communication device 101 transmits the additional information to server 151 , which receives this information (block 621 ), and stores the received additional information (block 623 ).
  • server 151 will know that the additional information will pertain to the information previously received by server 151 (block 605 ), since mobile communication device 101 will transmit identification information with the additional information.
  • server 151 analyzes the additional information received from the mobile communication device 101 .
  • the additional information may be analyzed with the previously received information (block 605 ).
  • server 151 transmits the assessment to mobile communication device 101 , which processes the assessment (block 629 ). If mobile communication device 101 still needs to send additional information, it may repeat the process as necessary.
  • server 151 may have access to a plurality of mobile communication devices, some of which may run or store the same application programs or data objects. Requesting data object information from a single mobile communication device can cause network traffic, affecting not only the single mobile communication device, but other devices on the network. In an embodiment, if server 151 requires information about a data object that is stored on more than one mobile communication device, server 151 can gather portions of the required information from each of the mobile communication devices, rather than relying on a single device.
  • FIG. 7 illustrates an embodiment using a first and a second mobile communication device, thereby optimizing data collection from two or more mobile communication devices.
  • the first mobile communication device detects a change in a data object.
  • the data object is also found on the second mobile communication device, but may or may not realize the same change.
  • the first mobile communication device transmits its identification information and information for its changed data object to server 151 (block 703 ).
  • server 151 receives the identification information for the first mobile communication device with the information for the changed data object. This information is stored by server 151 (block 709 ).
  • server 151 determines that it requires additional information about the data object.
  • server 151 identifies the second mobile communication device that server 151 knows also stores the data object as well as additional information for the data object.
  • server 151 requests the additional information for the data object from the second mobile communication device. This request is received by the second mobile communication device (block 717 ). In response, the second mobile communication device will gather the additional information (block 719 ), then transmit the additional information to server 151 (block 721 ). Server 151 receives (block 723 ) and stores the additional information about the data object from the second mobile communication device on server 151 or on data storage 111 (block 725 ), then analyzes this additional information with the previously received information from the first mobile communication device to render an assessment (block 727 ). This assessment is transmitted to the first mobile communication device (block 729 ), which receives the assessment (block 731 ) and process the assessment (block 733 ). One will appreciate that if relevant, server 151 may also transmit the assessment to the second mobile communication device.
  • server 151 can gather additional information from multiple devices.
  • server 151 chooses which devices to request additional information from by analyzing device information and application data previously stored by server. For example, to characterize an application's usage of SMS messaging to determine whether or not it is abusing SMS for spam purposes, server 151 may request the count of SMS messages sent by an application from many mobile communication devices that have previously reported that they have installed the application.
  • server attempts to analyze a data object to produce an assessment without first waiting to receive information about the data object from a device. Instead, server may receive data from other sources and proactively request information from one or more devices to create an assessment for the data object.
  • application data for a data object that is gathered and transmitted by mobile communication device 101 to server 151 may include behavioral data about the data object. Usage of such data by server 151 , such as during analysis, is discussed more in depth below. Behavioral data may include information about what the data object did when it ran on the device.
  • Examples of behavioral data include information about network connections caused by the data object (e.g., server names, source/destination addresses and ports, duration of connection, connection protocols, amount of data transmitted and received, total number of connections, frequency of connections, and network interface information for the connection, DNS requests made), behavior of the data object when run (e.g., system calls, API calls, libraries used, inter-process communication calls, number of SMS messages transmitted, number of email messages sent, information about user interfaces displayed, URLs accessed), overhead caused by the data object (e.g., battery used, CPU time used, network data transmitted, storage used, memory used).
  • Other behavioral data includes the context when a particular behavior occurred (e.g., whether the phone's screen was off when the data object sent an SMS message, whether the user was using the data object when it connected to a remote server, etc.).
  • mobile communication device 101 limits what type of behavioral data for a data object it gathers and transmits, and how frequently to gather and transmit behavioral data based on the period of time since the data object has last changed. For example, when a data object is first installed on a mobile communication device, the device may gather and transmit the full amount of behavioral data available every day. After one week following installation of the data object, the device may only send a limited subset of behavioral data in weekly intervals.
  • the device may only send a minimal amount of behavioral data in monthly intervals.
  • the device may transmit the full scope of behavioral data daily and reduce the scope and frequency of data gathered and transmitted after one week and/or after one month.
  • server 151 sends configuration to mobile communication device 101 requesting that the device send specific types of behavioral data at a specific frequency. The device stores the configuration so that it may determine whether to gather and/or transmit behavioral data for data objects.
  • the configuration information is specific to a particular data object.
  • the configuration information is for all data objects encountered by the device.
  • server 151 requests behavioral data for a particular data object from the device so that the server can minimize unnecessarily gathered and transmitted behavioral data.
  • server 151 can influence the gathering and transmission of behavioral data from device 101 to server 151 .
  • server 151 may transmit instructions to mobile communication device 101 , requesting behavioral data for a data object only if the server has information indicating that the device currently has the data object, and if the server needs more behavioral data to better assess the data object.
  • the server 151 determines that it needs more behavioral data for an object based on the number of devices that have already reported behavioral data. For example, the server may require at least one hundred (100) devices to report behavioral data for each data object in order to have a confident assessment.
  • the difference of the behavioral data reported by different devices is used to determine how much behavioral data is needed for an assessment to be confident.
  • the server may not request any more behavioral data for that object; however, if those thirty (30) devices showed a wide variation of battery usage, the server may request behavioral data from two hundred (200) devices.
  • a mobile communication device may only transmit behavioral data if the data is outside of normal bounds.
  • the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period.
  • server 151 can, update bounds on a mobile communication device 101 by transmitting updated bound information to the device.
  • bounds may be particular to one or more data objects.
  • a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location.
  • the updated bounds may instruct the device to send more or less behavioral data than the default set of bounds.
  • a mobile communication device may default to never send behavioral data.
  • the server may send bounds to the device specifying the typical behavior of the data object on other devices (e.g., uses less than 100 kilobytes of data per day, never sends SMS messages, never sends email) so that if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server.
  • bounds may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a “time-bomb” application that only starts becoming malicious after a certain time.
  • data transmitted from mobile communication device 101 to server 151 is configurable in order to protect user privacy; prevent overuse of device, network, or server resources; or for other reasons.
  • Some example configurations include choosing what application data is sent from device 101 to server 151 , how often application data is sent, and how application data is re-transmitted should initial transmissions fail.
  • Example configurations may further include transmitting only identifying information (e.g., no additional metadata or behavioral data), never transmitting any application data, never transmitting data object content, only transmitting application data for data objects based on the source of the data objects, only transmitting certain type of behavioral data, only transmitting a certain amount of application data per day, only transmitting one data object's content per day, transmitting behavioral data a maximum of once per day per data object, and the like.
  • identifying information e.g., no additional metadata or behavioral data
  • the configuration may be enforced by a mobile device 101 and/or server 151 by the device only making certain transmissions and/or the server only making certain requests from the device.
  • the configuration is controlled by one or more parties.
  • the configuration may be automatically set by server 151 or software residing on mobile communication device 101 , or controlled by an administrator via server 151 , and/or controlled by a user via mobile device 101 .
  • portions of the configuration are controlled by different parties. For example, a user may be able to control whether or not data objects are reported to server 151 but an administrator on server 151 may control the behavioral data reporting frequency for all devices to optimize battery usage of the security system.
  • software on a mobile communication device 101 displays a user interface dialog when it receives a request to transmit application data for a data object, such as its content or behavioral data.
  • a request for the data object's content may be for the whole content or for a portion of the content, the request identifying which portion of the content if a portion is requested.
  • the user interface dialog displayed may identify the data object for which application data is to be transmitted, and give the device's user a chance to allow or reject the transmission.
  • the dialog allows the user to have the device remember his or her decision for future data objects.
  • the dialog allows the user to view more in-depth information about the application data to be sent, and provides a way for the user to understand the privacy implications of sending the data such as linking to a privacy policy, privacy description, or other content that describes how the data is transmitted, stored, and used.
  • a mobile communication device attempts to transmit a data object when it receives an indication that server 151 needs more information to produce an assessment.
  • the device may display a user interface dialog prompting the device's user to choose whether or not to transmit the data object's content when the device attempts to transmit a data object.
  • some attempted transmission of certain types of application data such as a data object's content, results in user interface dialog for confirmation while other types of application data, such as metadata or behavioral data, are transmitted without requiring a user confirmation.
  • mobile communication device 101 and/or server 151 may perform grouping by comparing application data between multiple data objects.
  • application data that may be used to group data objects includes how data objects were installed (e.g., data objects from the same installer may be grouped), if data objects are linked together at runtime or dynamically, whether multiple data objects are in the same filesystem directory, and if data objects share a cryptographic signer.
  • an application installer may extract an executable and multiple libraries to the filesystem on a mobile communication device.
  • the mobile communication device 101 may use the common installer to consider the data objects grouped and may store the grouping information for use in gathering behavioral data (discussed below).
  • each data object's application data may include identification information for the common installer.
  • the server 151 may explicitly store the grouped relationship on server 151 or in data storage 111 to efficiently access the grouping information during analysis.
  • mobile communication device 101 transmits information indicating that grouped data objects are associated and transmits application data for grouped data objects to server 151 together. For example, if a process on a mobile communication loads multiple components from different vendors and network data can only be gathered on a per-process level, and/or if the process is detected to be connecting to a known malicious server, then it may be desirable for all components loaded in the process to be identifiable by the server to determine the offending component.
  • the mobile communication device 101 gathers behavioral data (such as the IP addresses the process has connected to) for the process, the device reports identification information for all of the data objects that are associated with the process to the server.
  • the server receives behavioral data for a group of data objects it may analyze behavioral data from multiple devices and determine that only groups containing a particular data object will connect to the malicious server. Thus, only the data object that results in connecting to the malicious server will be considered malicious.
  • behavioral data for the device as a whole may be transmitted to the server as representing the group of all data objects installed on the device.
  • devices running that operating system may transmit a list of applications installed on each device and the overall battery life for each device to server 151 .
  • the server can then perform analysis on this data to determine which applications are correlated to better or worse battery life and estimate each application's contribution to battery life when installed on a device.
  • the mobile communication device will join the configurations together. For example, if mobile communication device 101 is configured to report a large amount of behavioral data every day for one data object, but is configured to only report anomalous behavioral data for another data object, and the data objects are grouped, the device may join the two configurations and report a large amount of behavioral data for the group.
  • the second data object is configured to never report behavioral data for privacy reasons, no behavioral data may be reported for the group to satisfy the privacy constraint.
  • data transmitted by server 151 or mobile communication device 101 may be formatted using binary formats or non-binary formats. Examples include formatting data in XML, JSON, or as part of a URI.
  • the data may be transmitted using a variety of protocols, including TCP, UDP, DNS, and HTTP. Other formats and/or protocols may be used without departing from this disclosure.
  • mobile communication devices 101 will transmit some or all of the above-described data to server 151 for analysis so that server 151 can provide an assessment of the analyzed data.
  • server 151 can provide an assessment of the analyzed data.
  • analysis techniques One having skill in the art will appreciate that while the examples and disclosure below uses the data gathered using the methods described herein, other types of data may be transmitted and that this disclosure is not limited to the data described herein.
  • server 151 may receive data from sources other than mobile communication devices for use in analyzing a data object and producing assessments.
  • FIG. 10 illustrates an embodiment in which server 151 may receive data from multiple sources and transmit assessment information for multiple uses.
  • servers 151 are illustrated as a “cloud” to emphasize that multiple servers may operate in coordination to provide the functionality disclosed herein.
  • One or more mobile communication devices 101 are illustrated as a group to emphasize that multiple devices 101 may transmit and receive information to and from server 151 .
  • one or more mobile communication devices 101 may transmit application data for data objects to server 151 and devices 101 may receive assessment data, requests for more information, notifications, and the like from server 151 .
  • server 151 can receive information pertaining to data objects from a variety of data gathering systems. Such systems may be separate from server 151 or may be part of server 151 .
  • a data gathering system directly updates a database or other storage on server 151 or data storage 111 with information for one or more data objects.
  • a data gathering system communicates with server 151 to provide information to server 151 .
  • a web crawler 1003 downloads data objects that can run on mobile communication devices and retrieves information about data objects, feeding both to server 151 .
  • the web crawler 1003 may utilize a search engine to look for web sites that host mobile applications. Once the crawler 1003 identifies sites hosting mobile downloads, the crawler may retrieve web pages available on those sites, examining the content of each page to determine additional pages to retrieve. For example, a page on a mobile download site may contain links to other pages as well as links to download data objects. It may be desirable for data gathering systems to only transmit information to server 151 that is relevant to mobile devices, as there is much content available on the internet that does not affect mobile communication devices (e.g., PC software).
  • the crawler 1003 can identify if a data object available for download or that has already been downloaded is able to run on a mobile communication device. For example, the crawler 1003 may examine a download URL for a specific string indicating that the URL corresponds to mobile application package (e.g., SIS, APK, CAB, IPA). In another example, the crawler 1003 may examine a data object after it has been downloaded to determine if it affects mobile communication devices and if so, whether it affects a specific mobile platform. In this case, the crawler 1003 may examine the data object downloaded for characteristics such as its name, whether it contains executable code compatible with any mobile platforms, or if it contains data that is typical for a particular mobile device platform.
  • mobile application package e.g., SIS, APK, CAB, IPA
  • the crawler 1003 may examine a data object after it has been downloaded to determine if it affects mobile communication devices and if so, whether it affects a specific mobile platform. In this case, the crawler 1003 may examine
  • the web crawler 1003 gathers marketplace metadata about data items and transmits the marketplace metadata to server 151 .
  • Some example marketplace metadata includes from which web sites a data object is available for download, user ratings and comments for a data object, the price of the data object if it is available for purchase, the number of times the data object has been downloaded, information about the author of the data object, and other information pertaining to a data object that is available on web sites.
  • a given data object can be used to determine how trustworthy a data object is. For example, a data object available from a reputable company's web site may be considered more trustworthy than a data object uploaded on a mobile device forum by one of the forum's users.
  • an application marketplace data gathering system 1005 retrieves information about a data object, such as the data object's content and marketplace metadata for the data object, from mobile application marketplaces and reports the information to server 151 .
  • the application marketplace data gathering system 1005 is part of server 151 .
  • the application marketplace data gathering system is separate from server 151 .
  • Application marketplaces are often provided by mobile platform vendors (e.g., Android Marketplace, Blackberry App World, Apple App Store, Nokia Ovi Store) or third parties (e.g., GetJar, Handango) and may use a proprietary API.
  • application marketplace data gathering system 1005 is configured to communicate with application marketplace servers via a proprietary protocol.
  • the marketplace data gathering system 1005 may transform application data for data objects from a proprietary format into a format that server 151 can utilize for analysis.
  • an application marketplace may provide an API to access users' comments and ratings for an application; however, the data returned by that API may be different from another application marketplace's comment data.
  • an application market may proactively transmit data to marketplace data gathering system 1005 so that the data gathering system does not have to repeatedly query it.
  • application marketplace data gathering system 1005 may transform differently formatted comment data into a standard format for transmission to server 151 .
  • an application marketplace data gathering system 1005 can search for certain terms in user reviews, such as “battery drain,” “crash,” “privacy settings,” “does not work,” “phone number,” “contacts,” and the like, which can be used to characterize an application as “known bad,” or used to establish the trustworthiness of an application using the system components described herein.
  • application marketplace data gathering system 1005 can gather all comment data and analysis of the comment data can be performed by server 151 .
  • server 151 or application marketplace data gathering system 1005 can be capable of recognizing positive reviews or scores for a data object, thereby improving the assessment and/or trustworthiness for the data object.
  • server 151 In addition to automated gathering of data object information, it may be important for server 151 to accept human information 1007 . Such information may include subjective trust scores for mobile application vendors, specific keywords or other characteristics, such as heuristics, that may classify a mobile application as suspicious.
  • server 151 provides a user interface by which someone may provide information to server 151 about a specific data object, a group of data objects (e.g., data objects from a particular developer, all data objects on a specific platform), or for the analysis system as a whole (e.g., updated analysis heuristics).
  • a server separate from server 151 provides a user interface by which someone may provide information about a specific data object, a group of data objects, or for the analysis system as a whole.
  • This separate server may transmit the user-provided information to server 151 where server 151 stores it on server 151 or in data storage 111 .
  • the separate server directly updates data storage 111 with the user-provided information.
  • FIG. 10 illustrates how server 151 may provide information about data objects to external systems.
  • information provided by server 151 may be transmitted via an API; provided as a list, a data feed, a report, or formatted data such as firewall or virus definitions; or in other forms.
  • server 151 provides information about data objects to an application marketplace 1009 .
  • server 151 may provide marketplace 1009 with a list of malicious data objects that are present in marketplace 1009 .
  • server 151 may expose an API by which application marketplace 1009 can transmit identification information (e.g., a hash of a data object's content) to server 151 to determine if the data object is considered malicious or otherwise undesirable.
  • identification information e.g., a hash of a data object's content
  • server 151 provides data to network security infrastructure 1011 so that the network security infrastructure 1011 may protect against malicious or undesired applications at the network level. For example, by protecting at the network level, even mobile communication devices that do not have security software installed may benefit from protection.
  • server 151 transmits threat signatures to network security infrastructure 1011 .
  • threat signatures may take a variety of forms, for example, hashes of undesired applications, binary sequences for undesired applications, package names of undesired applications, firewall rules to block malicious servers or attackers, and rules for a network security system such as Snort.
  • server 151 provides data in the form of data feeds 1013 .
  • the data feeds 1013 may contain a variety of data available to server 151 or data storage 11 either from server's data gathering or from further analysis (described below), for example, a list of any data objects that use more network traffic than a given threshold to identify misbehaving or abusive applications, a list of the most prevalent malicious data objects, and a list of applications that match criteria such as a set of heuristics for identifying potentially malicious applications.
  • server may use a variety of methods of analysis.
  • server can process the information to produce an assessment for a data object.
  • FIG. 11 illustrates an embodiment in which server 151 aggregates application data for a data object, stores the information, generates characterizations and categorizations for the data object, assesses the data object to produce assessment information, and transmits the assessment information.
  • application data e.g., data object content, metadata, behavioral data, marketplace metadata
  • Some of the possible methods for gathering and types of data gathered have been discussed above.
  • Such methods may include gathering data from devices, from web sites, from application marketplaces, from people, and from other sources.
  • application data for the data object is stored on server 151 or data storage 111 so that the data may be used at a different time than when it is gathered.
  • device data is gathered and stored (block 1107 ) on server 151 or data storage 111 . It may be desirable for device data to be linked to the application data for the device that reported so that assessments, categorization, and characterization can take into account the source of the data. For example, if an application only malfunctions when installed on a particular device type, it is important for server 151 to be able analyze application data provided by devices in the context of what particular device type provided the data. In an embodiment, when application data is stored 1103 it is associated with device data for the device that provided it. For example, when a device 101 transmits application data to server 151 , the device may transmit authentication information that allows server 151 to retrieve previously stored data for the device 101 .
  • the device 101 has already transmitted device data to server 151 , the previously stored device data can then be associated with the new application data.
  • application data for multiple devices having the same device data is aggregated so that the stored data is not linked to a particular device, but rather a set of device data shared by one or more devices. In the design of such a system, it may be important to take into account the balance between granularity of device data and the level to which the aggregated data can be ascribed to a particular device.
  • server 151 As part of analyzing a data object, it may be desirable for server 151 to characterize it and/or categorize it (block 1109 ).
  • server 151 stores characterization and categorization data for data objects (block 1111 ). It may be desirable for characterization and categorization data to be updated as more data becomes available or analysis of the data changes.
  • server 151 performs additional analysis (block 1109 ) and updates stored categorization and characterization data (block 1111 ) for a data object when new or updated data for the data object used by analysis systems is available.
  • Characterization data includes information that describes a data object's functionality, behavior, and reputation such as its capabilities, metrics for the data object, analyses of other data relating to the data object, and the like.
  • server 151 produces characterization data about a data object using application data, device data, marketplace data, distribution data, and other data available to server 151 . While some methods are described below, one skilled in the art will appreciate that there are other of methods for generating characterization information that can be employed without departing from the scope of this disclosure.
  • server 151 transmits characterization information as an assessment. One will appreciate that characterization information may be useful for a user to understand when deciding whether to install an application.
  • characterization information is consumed as an input to one or more other analysis systems. For example, an analysis system producing an assessment of the privacy risk of an application may use characterization information to determine if an application has risky capabilities such as sending location or contact list information to an internet server.
  • Capabilities are one form of characterization data that server 151 may produce.
  • server 151 extracts capabilities from a data object.
  • applications may request granular permissions to access privileged functionality on a device, such as sending or receiving network data, accessing the phone's location, reading or writing contact entries, and SMS messaging.
  • server 151 uses data about permissions requested by a data object to determine the capabilities of the data object.
  • Server may determine permission data by a variety of means, including metadata and behavioral data reported by devices, marketplace data, static analysis of data objects, and dynamic analysis of data objects. For example, applications on the Android operating system have to declare permissions at install time, so server 151 may analyze these declared permissions in an application package directly via metadata about an application package reported by one or more devices or via marketplace data to determine permission data.
  • server 151 performs analysis of a data object's content to determine what APIs on a device the data object utilizes.
  • the API analysis may include a search of the data object for data sequences indicating API calls; an analysis of specific library, function, class, or other import data structures in the data object; an analysis of dynamic linker calls; an analysis of calls to local or remote services; static analysis of the data object; dynamic analysis of the data object; and analysis of behavioral data reported by one or more devices.
  • server 151 utilizes extracted API call information to determine that the application has a particular capability. For example, if an application calls an API to interact with a GPS radio on a device, server 151 determines that the application has the capability to determine the device's location.
  • server 151 detects if the code is, or may possibly be, self-modifying.
  • the capability of a data object to modify itself may signify that the data object is of higher risk than data objects that are more straightforward. While many instances of malware on PCs use self-modifying code to hide from anti-malware systems, copy-protection systems also often encrypt code to prevent unauthorized access; thus, self-modification alone may not be sufficient to classify a data object as malicious, it may be used by an analysis system, in addition to other characteristics, such as behavioral data, to produce an assessment for the data object.
  • server 151 analyzes behavioral data to determine capabilities for a data object. For example, server 151 may look for a data object making phone calls, sending SMS messages, accessing the internet, or performing other actions that indicate a particular application capability. In some cases, it is important not only to understand what single functions are utilized by a data object, but also whether an application exchanges data between APIs. For example, an application that uses the internet and can read a device's contact list may have multiple capabilities that have significantly different risks. For example, an address book application that simply uses the internet to check for updates has less of a privacy risk than an address book application that reads contacts and sends those contacts to the Internet.
  • server 151 analyzes data object to determine if there are code paths by which data returned or produced by one API or service are sent to another API or service. For example, server 151 may perform taint tracking between two APIs to determine whether an application transfers data between APIs. For example, server 151 may determine if there is a code path in a data object by which data returned by any call to the contact API on a mobile device can be provided to any network API on the device. If there is such a code path, server 151 determines that the data object has the capability of sending contacts to the internet. Having such a capability may be more valuable during further analysis by server 151 or by a user than simply knowing that an application accesses contacts and that it accesses the internet.
  • server 151 runs a data object in a virtual (e.g., simulated or emulated) or physical device and analyzes the behavior of the data object when run.
  • the virtual or physical device is instrumented so that it reports behavioral data for the data object.
  • the virtual or physical device's network traffic, calls, and SMS messages are analyzed by server 151 .
  • a virtual device may be configured to always report a specific location via its location APIs that are unlikely to occur in any real world circumstance.
  • server 151 By analyzing the device's network traffic for various encodings of that location, such as a binary double encoding, base 64 encoding, and text encoding, server 151 is able to determine whether the data object attempts to report the device's location to a server.
  • server 151 examines the difference in state of the virtual or physical device before the data object is run on the device and after the data object has run.
  • a data object may exploit the kernel on a device upon which it is installed in order to install a stealth rootkit.
  • a virtual device may show a substantial difference in certain sections of memory, such as in a system call dispatch table, that should not change under ordinary circumstances.
  • the physical or virtual device has a custom root certificate authority in its list of trusted certificates and server 151 intercepts all TLS traffic, using a server certificate that is signed by the custom certificate authority, and proxies the traffic to its original destination. Because the device has a custom certificate authority, the data object is able to establish a valid TLS connection through server 151 and all encrypted traffic is able to be analyzed by server 151 .
  • server 151 may be important for server 151 to gather metrics relating to a data object's effect of running on a device or its usage of capabilities on a device. For example, overuse of network data, email, or SMS messaging may be considered abusive or indicative of a malicious or exploited application.
  • server 151 analyzes application data from many mobile communication devices, such as metadata and behavioral data, device data, and other data it has available to it to produce metric data that characterizes a data object. For example, server 151 may determine how much battery usage an application requires on average for all devices or for a particular device type, how much data a data object sends over any network interface or over cellular vs. Wi-Fi network interfaces, how many email messages or SMS messages a data object sends, how many telephone calls an object makes, and other metrics.
  • Server 151 may produce other characterization information from what has been described above that may aid in further analysis by server 151 to produce an assessment or that may be exposed directly by server 151 .
  • server 151 analyzes network traffic information associated with a data object to produce network characterization data, such as a list of the servers the data object has connected to, the ports and protocols on those servers data object communicates with, how much data is transmitted to and received from each server,
  • network characterization information includes what proportion of devices running a particular data object connect to each server.
  • an application that connects to an IM server or a known malicious bot command and control server may connect to only one or a small number of servers on all devices that it is installed on; however, a web browser or application that allows user-specified connections may connect to a very large number of different servers on different devices.
  • server 151 informs one or more devices to not collect network behavioral data for that data object to minimize unnecessary data reporting.
  • the network traffic information is gathered as behavioral data from mobile communication devices or gathered by server 151 running the data object on a virtual or physical device.
  • server 151 determines whether a data object causes a mobile communication device 101 to access malicious Internet or other public or private networks. For example, a data object that causes a mobile communication device to access a malicious website may subject the device to exploitation.
  • An embodiment of this disclosure allows for resolution of transmitted Inter- or Intranet addresses (e.g., URLs) to determine whether the address will direct the mobile communication device to a safe website, rather than a nefarious website or phishing scam. This information can be stored as it relates to a particular data object.
  • server 151 categorizes a data object using data it has available such as application data, device data, marketplace data, and characterization data. For example, if a data object is characterized as calling location APIs on a mobile communication device, then server 151 may categorize the data object as a mapping or other location-based application. In an embodiment, categories may directly map to capabilities, such as applications that read your contact list or applications that can send your location to the internet.
  • server 151 uses metric data for a data object to categorize it. For example, server may have a category of heavy battery users that includes data objects that typically use more than 10% of a device's battery. Because the categorization may be dependent on device data in addition to characterization data, the category of battery wasters may depend on what type of device an assessment is for. For example, a data object that uses more than 10% of one device's battery may use only 5% of another device's battery.
  • server 151 can deduce such information. For example, if a data object communicates with a known instant messaging server, server 151 may determine that the data object is an IM application. For example, applications that connect to servers belonging to a popular social network may be classified during analysis as social networking applications, applications that connect to a known malicious IRC server may be classified as a malicious bot, and applications that drain one or more devices' batteries may be flagged as battery drainers.
  • server 151 exposes an interface by which users can suggest categories for a data object.
  • server 151 may define a category of applications that are inappropriate for children, the applications having content that includes pornography or violence.
  • one or more users can sign in to a community voting system provided as a web application where they can search and browse all applications known to server 151 .
  • the list of applications may be populated by marketplace crawling and application data reported by devices.
  • Each application may have a page whereby users can select their recommended category for that application.
  • the user interface shows information about the data object, such as aggregated application data, characteristics for the data object, and other information available to server 151 so that users can make a decision based on the output of analysis.
  • the user interface allows a user to select from a list of categories, add new categories, and add tags for a data object.
  • the user interface has a discussion component so that that people may discuss the appropriate categorization for a data object.
  • the category for an application is determined by a voting system by which users may select their preferred category for the application, the category selected by the most users being the authoritative category for the application.
  • the user interface is displayed on a mobile communication device, displays a list of data objects installed on the device, and allows a user to suggest categories for those data objects.
  • server 151 processes application data and device data to determine distribution data for a data object.
  • Distribution data may include how widely a given application is currently distributed, what the growth of the application's distribution has been over the period of time that the application has been available, what customer demographics, such as geography, have installed the application, and other functions of the prevalence of an application amongst groups of mobile communication devices.
  • server 151 may examine how many mobile communication devices report having installed a data object at the current time to determine how prevalent that application is.
  • server 151 uses distribution data to determine trustworthiness of a data object or to analyze a data object for risk, as is discussed below. For example, an application that has been installed on many devices for a long period of time without being uninstalled is likely to be less risky than an application that is brand new and only installed on a few devices.
  • server 151 may encounter legitimate applications that are in development and therefore are not distributed widely, an embodiment of this disclosure is directed to server 151 identifying which applications may be in development, thereby preventing them from being classified as undesirable in an anti-malware or other system.
  • Server 151 may receive application data for a data object indicating that the data object has characteristics inherent to applications in development, such as debugging symbols, debuggable permissions or flags, linkage to debugging libraries, and other characteristics. Applications in development may also be likely to have low distribution or isolated distribution. If server 151 identifies that an application is in development, it may store an indication of the application being considered in development and use the indication to prevent server 151 from assessing the application as suspicious or undesirable or to decrease the likelihood that the server reaches such assessments.
  • server 151 when determining whether a data object should be treated as “in development,” server 151 considers previous data objects encountered by devices that encountered the data object in question. If the devices frequently encounter data objects that are in development, server 151 is more likely to classify the data object as in development. If the devices infrequently encounter data objects in development, server 151 is less likely to classify the data object as under development.
  • server 151 establishes the reputation or level of trust for the data object.
  • the level of trust is determined manually or automatically and assigned to a single data object, multiple data objects that are part of an application, multiple versions of an application, or for all applications from a given developer on one platform or multiple platforms.
  • trust data is stored by server 151 on the server or in data storage 111 so it may be subsequently used directly or as part of producing an assessment.
  • trust is granted via a manual review process for an application. For example, if server 151 deems application to be risky based only on its capabilities (e.g., has access to private data and/or utilizes sensitive APIs), a user viewing the assessment may choose not to download it, even if the application is well regarded. To solve this problem, the application may be assigned a trust rating by manual review. If the review deems the application to be trustworthy, the assessment reports the application as not risky; however, if upon review, the application is determined to be suspicious, the assessment may continue to report the application as risky.
  • server 151 grants a data object a high level of trust if the data object can be attributed to a trusted vendor or trusted applications through data available to server 151 such as the data object's cryptographic signer, package name, or marketplace metadata.
  • server 151 uses distribution data and application data to establish trust for an application. For example, if a popular application, such as Google® Maps, is installed on millions of mobile communication devices and there are multiple previous versions of the application all having the same cryptographic signer and similar distribution characteristics, subsequent versions of the application with that cryptographic signer would be deemed to have a high level of trust. If server 151 encounters another application that has the same name as a popular application, such as Google® Maps, is installed on only a few devices, and uses a different cryptographic signer, server 151 may grant the low-distribution application a low level of trust.
  • a popular application such as Google® Maps
  • An anti-malware system may use such data indicating that a data object has low trust to automatically assess a data object as undesirable or to flag it for manual review.
  • trust data for an application may take into account associated applications such as applications determined to be created by the same developer on the same platform or on different platforms. For example if a company produces an application for one mobile platform that has a large number of users and good ratings, and the company releases a new application on a different platform, the new application may be given a high trust rating based on its association to the first application.
  • server 151 analyzes application data to determine if a data object is part of a mobile communication device operating system or preloaded by a manufacturer or operator. In an embodiment, if server 151 determines that a data object is part of a mobile operating system or is preloaded, it is be granted a high level of trust automatically.
  • server 151 analyzes user-generated ratings and comments for an application, such as those gathered by application marketplace data gathering system 1005 .
  • server 151 may use ratings and reviews to determine a trust rating for the application. If an application has low ratings and negative comments indicating that the application “crashes” or is otherwise “bad”, server 151 assigns the application a low trust rating based on the reputation indicated in its comments; however, if an application has consistently high ratings and many reviews, server 151 assigns the application a high trust rating.
  • server 151 uses ratings and reviews to as a subjective indicator of application quality for use in producing assessments for the application. If an application has a significant number of reviews with text indicating that the application “drains battery” or “sucks battery”, server 151 determines that the application has the reputation of having adverse battery effects and produces an assessment of the application indicating that.
  • server exposes trust data to third-parties via an API.
  • trusted applications may be considered certified by Lookout.
  • the trust level exposed by the API is binary (e.g., trusted, not trusted), fuzzy (e.g., 86% trusted, 11% trusted), or categorical (e.g., fully trusted, malicious, suspicious, semi-trusted).
  • Mobile application marketplaces may wish to display an indicator of this certification on an application download user interface as a signal that the application has a good reputation.
  • server 151 may expose an API by which third-parties can supply a data object or identification information for a data object such as a hash identifier, package name, or cryptographic signer.
  • server 151 After receiving a data object or enough information to identify one, server 151 responds with an indication of whether the data object is considered certified or not.
  • the response is an image indicating whether server 151 considers the data object to be certified or not.
  • the response contains a hyperlink to server 151 whereby a user can verify that the certification for the application is genuine.
  • the web page referenced by the hyperlink shows additional information about the application, such as why it was considered trusted or not (e.g., through manual review, comments, distribution data), what permissions are requested by the application, characteristics and capabilities the application has, and commentary about the application during manual review.
  • server may produce an assessment (block 1113 of FIG. 11 ).
  • server 151 may store the assessment of the data object so that it may be retrieved at a later time (block 1115 ).
  • Server may then transmit the assessment for the data object (block 1117 ).
  • server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad, and transmit a response to an API call querying for the assessment of the data object.
  • Such information can be in the form of readable text, a machine readable format, or may include a “score,” a badge, an icon or other symbolic rating.
  • server 151 transmits an assessment for the data object are possible without departing from the scope of this disclosure.
  • assessment data includes the output from an analysis system, such as characterization data, categorization data, trust data, and distribution data.
  • an assessment for a data object may include (solely or in addition to other information) detected capabilities for the data object, average battery usage for the data object, average number of SMS or email messages sent by the data object, the most common servers the data object connects to, the average amount of network data for the data object, and trust ratings for the data object.
  • the above assessment data may be provided as an input to server 151 .
  • a network operator or enterprise may operate a server that produces assessment data and feeds it data back to a master server.
  • users may determine assessment data and provide it to server 151 via an interface such as a web application.
  • server 151 combines assessment data received from multiple sources to produce an aggregated assessment. For example, if a malware author attempts to transmit an assessment to server 151 indicating that a malicious application is safe in the hopes of causing server 151 to produce a false assessment, the server may utilize the number of unique sources providing assessments and the trustworthiness of those sources to produce the aggregated assessment. If one hundred assessments are received from different, reliable sources such as network operators and enterprises that indicate the application to be malicious, but ten thousand assessments from a particular unverified source indicate the application to be safe, the server produces an aggregated assessment indicating the application to be malicious.
  • assessment data produced by server 151 includes one or more ratings for a data object.
  • an assessment for a data object may include a rating for the data object's privacy by server 151 taking into account whether the application has the capability to send location data, contact data, SMS messages, or files from a device to a server.
  • an assessment for a data object may include a rating for the data object's security by server 151 taking into account whether there are any known vulnerabilities for the application, whether the application listens for network connections on any ports, whether it meets secure coding guidelines, what the trust level of the application is, and whether there are any anomalies in the application (e.g., stealth code, decrypted code, structural anomalies).
  • an assessment for a data object may include a rating for the data object's battery impact, such as estimated number of minutes of phone battery life reduction, by server 151 taking into account by taking into account the battery usage data reported by devices.
  • an assessment for a data object may include a rating for the data object's performance that is produced by server 151 taking into account the average CPU usage of the application and the frequency which the application does not respond to user input events.
  • an assessment for a data object includes a quality rating that is produced by server 151 taking into account the frequency of application crashes, user comments, user ratings, and the average time the application is kept on devices.
  • server 151 provides multiple ratings as part of one assessment so as to provide information about a data object along multiple dimensions.
  • assessments may be binary (e.g., good, bad) or fuzzy (e.g., 100%, 90%, 10%).
  • multiple ratings are combined into an overall rating.
  • server 151 processes multiple data sources available to server 151 to produce a rating for the data object.
  • server 151 may utilize application data, device data, characterization data, trust data, distribution data, and user-supplied data to determine if an application is malicious.
  • the server may utilize a variety of systems or models applied to the data available at the server to produce the assessment. For example, producing an assessment of whether a data object is malicious may involve a malware detection system that includes a heuristic engine that analyzes characteristic data to identify behavior of data objects that are likely to be malicious.
  • Some example heuristics include detecting whether a data object utilizes any capabilities to evade detection by hiding from application enumeration systems on an the OS it is installed on, whether an application attempts to modify itself, whether an application has capabilities associated with known spyware, and whether an application connects to known malicious servers.
  • part of the analysis performed at server 151 to produce an assessment may be seen as extracting features for a data object, and another portion of analysis may be seen as applying a model to those features to produce a useful assessment; thus, one may apply a variety of systems, such as artificial intelligence systems or algorithms, to process the features for a data object to reach a desired form of rating or assessment.
  • server 151 produces multiple assessments for a data object that take into account different device data or configuration information. For example, if server 151 is configured to produce assessments of whether a data object will function correctly and if a data object malfunctions when installed on one type of device, but functions correctly when installed on another device type, server may produce two assessments for the data object. If server 151 has an API by which a mobile communication device 101 can request an assessment for a data object given identifying information for the data object and the mobile communication device has sent device data to server 151 , then server 151 can provide the assessment for the data object that corresponds to the device requesting the assessment.
  • server 151 will return the assessment indicating the malfunctioning behavior of the data object on that device 101 . If a device 101 where the data object would function correctly requests an assessment, then server 151 will return the assessment indicating the correctly functioning behavior on that device 101 .
  • an assessment indicates whether a data object is allowed to run on a device given policy set by an administrator. If multiple policies are configured on server 151 and data storage 111 stores which policy is to be applied to a device 101 , then a given data object may have multiple assessments that depend on the policy of the device querying for an assessment. For example, if a device with a strict privacy policy requests an assessment for an application that can share a user's location, server 151 transmits an assessment indicating that the application is disallowed. If a device with a lenient privacy policy requests an assessment for the same application, server 151 transmits an assessment indicating that the application is allowed.
  • assessment data is not stored and only information used to produce the assessment such as application data, device data, distribution information, characterization information, trust data, and categorization information is stored and the assessment is performed upon request by applying policy to the stored information.
  • server 151 stores manual analysis results for a data object and transmits the manual analysis results as an assessment.
  • server 151 may categorize an application as a social networking application based on its behavioral data; however, the application may actually be a word processing application that allows the user to publish notes to a social network.
  • a user or administrator may override the categorization for the data object, server 151 storing the categorization and transmitting it in response to a request for an assessment for the data object.
  • an anti-malware system identifies data objects having certain characteristics as undesirable. It may also be desirable for a user to manually configure server 151 to treat particular data objects as undesirable.
  • Server 151 stores a list of data objects that are considered undesirable and, when asked for an assessment for one of these data objects returns an assessment indicating that the data object is undesirable.
  • server 151 first produces an assessment and then updates it if additional application data or device data becomes available or if the analysis system itself is updated. In an embodiment, if a data object is re-assessed (e.g., because of new application data, device data, or updated analysis systems), server 151 stores the new assessment 1111 and transmits it 1113 . For example, after gathering device data and application data for a data object from ten devices, server 151 may generate an assessment for that data object.
  • server 151 may re-analyze the data object in light of the new data, producing a new assessment for the data object. If the updated assessment is materially different from the first, actions such as notifying devices or users may be performed by server 151 .
  • server 151 and mobile communication device 101 are configured to function together to prevent malware or spyware from adversely affecting mobile communication devices. Because mobile communication devices are limited in memory, processing ability, and battery capacity, it may be desirable for server 151 to perform analysis, such as the analysis described herein, to determine if an application is considered to be malware or spyware rather than each device performing the analysis. Furthermore, it may be desirable for server to store the results of the analysis so that if multiple devices encounter the same application, the analysis does not need to be repeated. Additionally, it may be desirable for server 151 to collect data about potentially malicious applications, using data collection systems described herein, in order to provide data from a variety of sources for use by analysis systems.
  • analysis such as the analysis described herein
  • mobile communication device 101 when mobile communication device 101 assesses a data object, such as an application package or executable, to determine whether the data object is malicious or otherwise undesirable, the device sends a request to server 151 for an assessment of the data object, the request containing identifying information for the data object.
  • the request transmitted by mobile communication device 101 contains application data for the data object for use by the server in performing the assessment.
  • mobile communication device may additionally transmit the permissions requested by the data object and information, such as a list of APIs utilized, determined by the device by performing static analysis.
  • mobile communication device 101 gathers metadata for a data object by using operating system provided facilities and potentially additional processing.
  • operating system provided facilities and potentially additional processing.
  • both the Blackberry and Android platforms provide mechanisms by which an anti-malware application can query the list of packages installed on a device.
  • Each also provides methods to query additional information about the packages such as cryptographic signature information and information about how the packages choose to integrate or expose themselves to the operating system.
  • mobile communication device 101 may extract features from a data object to assist in server 151 producing an assessment.
  • mobile communication device 101 performs static analysis on the data object to extract application data to transmit to server 151 .
  • the device may analyze the executable portion of an application packages, typically called “classes.dex”. The device may extract a list of inter-process communication calls directly or indirectly performed by the executable file that utilize the “binder” mechanism and transmit information about the calls to server 151 for use in analyzing the application package.
  • server 151 may analyze the data object immediately, or may need to gather additional information using a process such as one disclosed herein. After producing an assessment for the data object, the server transmits the assessment to mobile communication device 101 . In an embodiment, the assessment contains an indication of whether the data object is considered undesirable or not. For example, server 151 may transmit one of three assessments, known good, known bad, and unknown. If the server determines that the data object is known to be good (e.g., because it has a high trust level), it will return an assessment that the data object is known good. If the server determines that the data object is known to be bad (e.g., because it is determined to be a piece of malware), it will return an assessment that the data object is known bad.
  • the server does not have enough information to make a determination, it will return an assessment that the data object is unknown.
  • the assessment contains a risk level of the data object or a confidence level of the known good or known bad assessment so that mobile communication device or its user can use the risk or confidence level to determine how to classify the data object.
  • the assessment transmitted by server 151 to mobile communication device 101 contains information as to why server 151 determined that the data object was undesirable.
  • server 151 may transmit the name of a malware family the data object was determined to belong to or server may transmit an HTTP URL referencing server 151 that mobile communication device 101 can use to display additional information about the data object, the URL containing an identifier that is decoded by server 151 to allow it to retrieve stored information about the data object.
  • the web page may display additional information such as the output from different analysis systems used to produce the assessment.
  • the web page may display distribution information for the data object, information about common servers connected to by the data object, information provided by human analysis of the data object, trust data associated with the data object, information about the geographic distribution of the data object, information about similar data objects, and information about the author of the data object.
  • a mobile communication device 101 may be desirable to minimize requests mobile communication device 101 needs to send to server 151 for assessments of data objects so that the device minimizes the amount of data it transmits and receives, reduces time required to assess a data object, optimizes battery consumption, and minimizes load on server 151 .
  • a mobile communication device 101 maintains a local cache of assessment information received from server 151 .
  • the local cache may be stored using a lightweight database such as SQLite or in a proprietary binary file format that is optimized for assessment storage.
  • the cache may contain an indication as to whether a data object was undesirable or not, a risk level associated with a data object, and definition information such as identifying information for a data object.
  • a device When a device scans a data object, it can look up the data object's identifying information in the local cache. If an assessment for the data object is cached, that assessment is used. If an assessment is not cached, the device retrieves an assessment from server 151 .
  • a mobile communication device inserts an assessment into its cache for a data object encountered on the device, it generates definition information for the data object. For example, a device may use the hash of a data object's content to ensure that it caches assessment results from a server.
  • server 151 transmits definition information with an assessment so that mobile communication device can apply the assessment to the appropriate set of applications. For example, in some cases server 151 may indicate that an assessment only applies to a specific data object identified by a hash of its contents while in other cases the server may indicate that an assessment applies to all data objects signed with the same cryptographic key.
  • a mobile communication device 101 stores a local cache of definitions for known good data objects and known bad data objects for use by a recognition component (described below) operating on the mobile communication device.
  • the mobile communication device can determine an assessment for a suspect data object if the local cache contains a definition and corresponding assessment that corresponds to the suspect data object.
  • the definitions may use criteria such as hash identifiers, package names, and cryptographic signers to match a data object.
  • Each definition may have a corresponding assessment (e.g., “good”, “bad”). If a definition matches a suspect data object, the definition's assessment is used for the suspect data object. If no definitions correspond to the data object, such as the data being recognized as safe or not safe, then the mobile communication device 101 may transmit application data for the suspect data object to server 151 for more comprehensive analysis.
  • the cache is used as the primary storage of anti-malware definitions that determine whether anti-malware software on mobile communication device 101 will recognize a data object as malicious or not without having to consult server 151 .
  • the cache stores definition information used by a recognition component on the device.
  • the cache may contain definition information such as package names, cryptographic signers, byte sequences, patterns, or logic that is used to match data objects on a device with cached assessments. If the cache contains an entry linking a particular byte sequence to an assessment of being a malicious application and a data object on a device contains that byte sequence, then the device will determine that data object to be malicious without having to contact server 151 .
  • the cache only contains definition information, all definitions corresponding to a single assessment of a data object being malicious.
  • the cache may contain assessment information, the assessment information possibly containing an identifier, as discussed above, which can be transmitted to server 151 in order for the device to retrieve information for display to a user. Such an identifier being used to retrieve data from server 151 allows the cache to minimize the information it stores about potential malware.
  • a device cache serves as both a whitelist and a blacklist. The cache contains definition information for known good and known bad data objects so that if a data object is determined to be known good or known bad, the device does not need to request an assessment from server 151 .
  • the cache that serves as both a blacklist and a whitelist is used by a recognition component on the mobile communication device to determine if data objects are recognizably bad or recognizably good. If a data object encountered by a device is neither recognizably good nor recognizably bad based on definition data stored in the cache, then the device may transmit application data for the data object to server 151 so the device can receive an assessment for the data object from the server.
  • anti-malware software on a mobile communication device is installed with a pre-populated cache of definitions that are modified by the device as it receives new assessments or stored assessments are deemed to be invalid.
  • assessments and definitions cached on a device are only considered valid for a period of time so that the mobile communication device does not rely on data that is potentially out of date.
  • cached assessments and definitions are stored indefinitely and considered to be valid without time constraint.
  • a device only stores certain types of assessments and definitions. For example, a device may only cache known good assessments or may only cache known bad assessments. In this case, definitions are only stored if they have a corresponding assessment.
  • part of the cache is stored in volatile storage, such as RAM, and part of the cache is stored on non-volatile memory, such as flash.
  • a device may store frequently accessed assessments and definitions in volatile memory while less frequently accessed assessments and definitions in non-volatile memory. For example, if an anti-malware system analyzes data objects every time they are opened, it may be desirable to very quickly determine an assessment for a data object if it has been recently scanned and not changed. By storing a recently used definition and assessment in volatile memory, the device can recall the previous assessment very quickly.
  • server 151 transmits cache control information with an assessment, indicating whether the device should cache it and, if so, for how long. For example, server 151 may transmit an assessment for a popular application from a reputable company, including cache control information indicating that a device should cache the assessment. If server 151 transmits an assessment for a lesser-known application, it may include cache control information indicating that a device should not cache the assessment, as the application may turn out to be considered undesirable in the future after more is known about it. In an embodiment, server 151 determines cache control information based on the confidence of an assessment. For example, known good assessments for applications that have a high trust level may be considered to be highly confident while assessments indicating that an application is unknown due to lack of data available to the server may not be considered confident. In an embodiment, when an assessment expires, cached definition information associated with the assessment is also expired.
  • server transmits assessments to a mobile communication device without the device requesting the assessments and the mobile communication stores these assessments in its cache. Because all of the assessments available to server 151 may require more storage than is desirable on mobile communication device 101 , server may only transmit a subset of its available assessments. In an embodiment, server 151 determines which assessments to transmit to mobile communication device 101 by analyzing device data and application data.
  • server 151 may store the operating system a data object is compatible with associated with assessments for data objects in such a way that the server can query for all of the assessments related to a given operating system. Server 151 may then only transmit assessments to a mobile communication device that are for data objects that are compatible with the operating system the device is running. The other assessments would not be transmitted to the device because the data objects referenced by the other assessments are not able to run on the device's operating system.
  • server may use a device's country, language, or area code to determine what assessments to transmit to the device. Users in the United States are unlikely to download Russian-language applications, just as users in Russia are unlikely to download Spanish-language applications.
  • server 151 stores which assessments it has already transmitted to a device and the device has successfully received so that assessments are not unnecessarily re-transmitted. If a device has not received assessments that are desired, the server transmits the assessments the next time the device connects.
  • server 151 may group assessments, such that a given device receives all assessments in one or more groups. For example, a given group of assessments may have changes (e.g., new data objects being assessed, changes to existing assessments) multiple times per day; however, a device may be configured to receive updated assessments only once per day.
  • server may record the time when a device has last received up to date assessments for a group and only examine changes to the group since the device has last received assessments. For example, if a device receives all of the assessments for a given group on Monday and two new assessments are added to the group on Tuesday, then, if the device connects on Wednesday, the server only needs to query what assessments have changed in the group since Monday and will determine that it needs to transmit just the two added assessments.
  • server utilizes a push service such as one described herein to alert a device that there are additional assessments that server is ready to transmit to the device.
  • server updates assessments that are part of a group, all devices that receive assessments from that group can be updated with the latest assessments nearly immediately.
  • assessments can be grouped by server 151 in order to selectively transmit assessments to a device. For example, there may be more assessments for data objects compatible with a given operating system than it is desirable to store on a device.
  • the server may produce a group of assessments that correspond to the most prevalent data objects, based on distribution data or market data available to server 151 .
  • devices will cache assessments for the data objects they are most likely to encounter. It is also possible to further improve the likelihood that a device has assessments cached for data objects it encounters by server 151 analyzing the application data available at the server corresponding to the data objects previously encountered by the device and predicting, based on those previous encounters, what data objects the device is likely to encounter in the future. Assessments for these likely data objects can then be transmitted to the device.
  • the amount of assessment data to cache on a mobile communication device 101 is determined by server 151 .
  • server 151 may examine the amount of storage available on a device, the frequency by which a user downloads applications, and how likely additional cached assessment data will be to reduce the number of required assessment requests transmitted by the device.
  • the server may determine to cache a large amount of assessment data; however, if a device has little available storage and its user rarely downloads applications, then the server may determine to cache only a small amount of data or no data.
  • the server may also examine previous assessment requests made by the device to determine if those requests could have been avoided by the device caching additional assessment information. For example, if a device currently receives assessments belonging to a particular group of applications and the server is evaluating whether device should receive assessments for an additional group of applications, the server examines previously assessment requests to determine how many of those assessments were in the second group. If server 151 determines that enough of the assessments requests would have been avoided, then it will start transmitting assessments from both groups to the device. In an embodiment, a user can control the amount of storage to allocate to cached assessments on a mobile communication device 101 .
  • server 151 transmits an assessment for a data object indicating that the object's undesirability is unknown.
  • mobile communication device 101 encounters a data object, it transmits a request to server 151 for an assessment, and receives an unknown assessment, the device temporarily trusts the data object and retries the request for assessment at a later time. In order to avoid unnecessary requests, the device increases the time delay between retries if it continues to receive unknown assessments. During such a period of temporary trust, the device does not re-transmit an assessment request every time a data object is scanned.
  • the first access to a data object may result in the device transmitting an assessment request to server 151 . If the server returns an unknown assessment, then the device stores a temporary entry in its assessment database indicating identifying information for the data object, a temporary assessment indicating that the data object is allowed, and the time period the assessment is valid for.
  • server 151 transmits information about a data object in an unknown assessment and mobile communication device 101 uses the data assessment from server 151 as an input into a local analysis system.
  • mobile communication device 101 may have a heuristic system that analyzes the content of a data object to determine if it is malicious. In the case of a known good or known bad result from server 151 , then the device either does not run the heuristic system or discards the result from the heuristic system. If server 151 returns an unknown result including a trust level for the data object, device 101 combines result from the heuristic system with the trust level provided by the server to determine whether to treat the data object as undesirable or not.
  • mobile communication device 101 may scale the result from local analysis based on the trust level reported by server 151 . If a heuristic system on the device determines that a data object is 66% risky and an unknown assessment from server 151 indicates that the data object has a suspicious 1% trust level, the device determines that the data object is undesirable; however, if the unknown assessment from server 151 indicates that the data object has a 70% trust level, then device 101 determines that the data object is desirable.
  • server 151 In order to respond to undesirable applications, such as malware and spyware, as soon as they are identified as such, it may be desirable for server 151 to transmit notifications to mobile communication device 101 about data objects that are determined to be undesirable after previously being classified as good or unknown.
  • server 151 stores information about data objects encountered by mobile communication device 101 so that if a data object encountered by the device was assessed to be good or unknown but was subsequently determined to be undesirable, server 151 may determine all of the devices that have encountered the data object and transmits a notification indicating that the data object is undesirable. In an embodiment, server 151 only transmits a notification to device 101 if the data object that is the subject of the notification can operate on the device's operating system.
  • server 151 would not transmit a notification to the device; however, if the device encountered a Blackberry spyware application, server 151 would transmit a notification.
  • the determination of whether a data object can operate on a given device may be determined by analyzing device data for the device and application data for the data object.
  • the notification transmitted from server 151 to device 101 is designed to be consumed by the device and includes both identification information and remediation information for the data object.
  • the notification may utilize a push service provided by a platform vendor and include the package name and content hash for a data object.
  • the notification may also specify a remediation action such as “killing” any processes containing the data object, requesting for a user to uninstall the data object, and deleting the data object without user intervention.
  • the notification includes information for display to a user about the data object such as remediation instructions, an explanation for why the data object is considered undesirable, or a request to take a particular action.
  • the notification is in the form of a human readable message, such as a text message, email, or telephone call. It may be desirable for server to perform both human readable and machine readable notification to ensure that a user responds to a dangerous data object. For example, server may transmit an email message to a user and transmit a notification for the device to remove the data object without user intervention.
  • mobile communication device 101 contains a database of all data objects that are present on the device and server 151 transmits updated signature data to the device when a data object encountered by the device is determined to be undesirable.
  • server 151 transmits updated signature data to the device when a data object encountered by the device is determined to be undesirable.
  • the device receives the updated signature data, it compares the updated signature data to data objects present on the device. If any objects that are present on the device are considered by the updated signature data to be undesirable, then the device immediately initiates remediation actions, not waiting for the next time the data object is scanned.
  • mobile communication device 101 maintains a list of data objects identified that have been analyzed and are considered to be desirable. When a data object is desired to be scanned, the device may first check this list to see if the data object is present. If the object is present, the device does not re-scan the object. After scanning a file and determining it to be desirable, the device places an identifier for the data object in the list.
  • Example identifiers include a file name, filesystem node identifier, or operating system specific data object handle.
  • the mobile communication saves this list of data objects to non-volatile storage so that the list can be preserved even if the device is rebooted or runs out of battery.
  • assessments and later accessing them it's important that any stored assessments are valid only for a particular set of data object content. If the data object's content changes, a different assessment may be necessary, as the data object may have been modified to include malicious code that was not present in the original data object.
  • the list contains a cryptographic hash of the content of the data object. When the device determines whether the data object is considered to be on the list, it compares the hash of the data object as stored on the device with the hash stored in the list. If the hash matches, the data object is considered to be on the list.
  • the anti-malware software can determine when files are opened and closed. If a file on the list is opened with write access, then it is removed from the list. While there are open writers to the file, the file cannot be added to the list.
  • a mobile communication device can request an analysis of all of the data resident on the device (a “scan”) when the mobile communication device first starts up or powers on, or when the application responsible for monitoring the mobile communication is first launched. This provides a baseline analysis of the security of the mobile communication device. Future scans may be performed when new applications are accessed by the mobile communication device, or at pre-set time intervals, or upon user request. Scans may be adjusted depending upon the access to network 121 . If connectivity is an issue, then only newer data may be assessed, or suspect data. Scans may be queued and performed when connectivity improves.
  • an anti-malware system on mobile communication device 101 has the capability to perform both an on-demand and a scheduled scan of all data objects present on a device. If the anti-malware system utilizes server 151 to perform assessments for the data objects, it may be desirable to optimize the time required to perform the scan. Because network latency causes a delay between the time a request for an assessment is transmitted by a device and the time the device receives a response from server 151 , it may be desirable to pipeline requests in such a way that the device does not simply idle while waiting for a response. In an embodiment, mobile communication device transmits a request to server 151 to provide assessments for multiple data objects and server 151 transmits assessments for those multiple data objects to the device.
  • a device may be configured to first enumerate all of the data objects on the device and then send a request to server 151 to assess all of the enumerated data objects.
  • a device may enumerate ten data objects at a time, then send a request to the server and receive a response for those ten data objects before scanning additional data objects.
  • a device may enumerate data objects and transmit assessment request, continuing the enumeration process without waiting for assessment responses from the server. The device may only wait for responses when the enumeration is complete.
  • mobile communication device 101 proactively scans data objects and stores the results so that when the data object is loaded, the device can reference the previous scan result. For example, when a device loads a program that depends on multiple other files (e.g., an executable that is linked to shared libraries), an anti-malware system on the device may analyze the program to determine all of the libraries it depends on, send a request to server 151 for assessments for the program and its dependent libraries, and then allow the program's execution to proceed once the device receives positive assessment results.
  • a program that depends on multiple other files (e.g., an executable that is linked to shared libraries)
  • an anti-malware system on the device may analyze the program to determine all of the libraries it depends on, send a request to server 151 for assessments for the program and its dependent libraries, and then allow the program's execution to proceed once the device receives positive assessment results.
  • the device's operating system loads the libraries the application depends on, no request to server 151 is needed because the system already has up-to-date assessments for the libraries. If the libraries were not proactively analyzed, the total load time for the program could be greater as the device may have to wait for multiple requests to server 151 to occur in serial.
  • software on a mobile communication device analyzes data objects after they are downloaded but before they are executed. For example, anti-malware software on a device may watch the download directory for new files or may simply wait for files to be created, written to, and then closed. After the download completes, the software may initiate a scan of the new file so that once the file is opened, the system already has assessed it and can recall the previous assessment.
  • an anti-malware system blocks user-requested or system operations while it is assessing a data object, it may be desirable to give the user an indication that an assessment is in progress, especially if the assessment depends on a network connection that may have significant latency.
  • an anti-malware system on mobile communication device 101 displays a user interface indicating that a data object is being scanned when the system is scanning the data object and blocking user-requested operations. For example, if an anti-malware system prevents the execution of applications until the application and all of its dependent libraries have been assessed by interposing itself in the application launch process, there can be a significant delay perceivable to the device's user.
  • the device displays a user interface view indicating that the anti-malware system is assessing the application that the user launched.
  • the user interface allows the device's user to skip waiting for the scan to finish. For example, if the device's scanning of a data object needs to connect to server 151 and the user doesn't want to wait, the user may proceed without waiting for the assessment to return. If the assessment subsequently returns that the data object is malicious, the device may initiate remediation actions, such as killing any processes containing the data object and deleting the data object, even though the data object was allowed to run.
  • a user may be interested in having an application assessed, but does not wish to wait for a response from server 151 .
  • the user may choose to forego complete analysis and use the application while waiting for analysis results.
  • server 151 or the user's mobile communication device 101 could provide a temporary trustworthiness evaluation prior to formal analysis.
  • Reporting can be in the form of an interface element, a notification, a warning, a risk rating, or the like.
  • the mobile communication device 101 can run a local analysis to determine whether an application is temporarily trustworthy. It may also be desirable to show information about a data object on a user interface that indicates when an anti-malware system is waiting for an assessment from a server so that users do not accidentally skip items that are high risk.
  • the waiting user interface shows the result of local analysis while waiting for an assessment from server 151 .
  • the user interface may show the capabilities of the data object or a risk score for the data object.
  • the device only allows a user to skip waiting for an assessment from server 151 if local analysis determines that the data object is low risk.
  • a risk score may be calculated by analyzing what sensitive functionality a data object accesses. A data object that accesses a user's contact list and browser history may be deemed more risky than a data object that doesn't access any sensitive functionality.
  • an anti-malware system on device 101 determines whether it should wait for a response from server 151 before reaching a conclusion based on the context of the scan. For example, scans that occur during system startup or when there is no active network connection should not block waiting for a response from the server. In order to determine if there is a network connection, the anti-malware system may rely on a variety of methods such as querying network interface state information provided by the operating system and analyzing whether requests to server 151 time out.
  • the anti-malware system intercepts system calls, scans that occur as a result of the system trying to execute a data object should block while waiting for a response from server 151 while scans that result from an application getting information about a data object (e.g., file manager extracting an icon for the data object) should not block while waiting for a response.
  • a request for a data object assessment is unable to be completed, it is retried at a later time.
  • the anti-malware system skips portions of server or local analysis if an accurate assessment can be produced without the additional analysis. For example, if local analysis determines that a data object is not risky, then the device may not request an assessment from server 151 —the device may only request an assessment from server 151 if the data object being scanned has a minimum riskiness as determined by a local analysis component on the device. In an example, the determination of whether to skip waiting for additional results is determined by both the results and which system returned each result.
  • a “bad” result from local analysis before receiving a result from server 151 may be enough to treat a data object as malicious; however, a “good” result from local analysis may still require the system to wait for an assessment from server 151 to confirm that the data object is good before determining a final disposition.
  • the anti-malware system on a device analyzes the results of the systems to make a determination as to the final disposition of a data object, the determination taking into account both what results were produced and which system produced each result. For example, the anti-malware system may determine that a single undesirable result is enough to flag a data object as undesirable.
  • server 151 may be treated as authoritative or server 151 may transmit a confidence level of its assessment so that device 101 can determine whether to treat the assessment as authoritative or not.
  • known bad results from server 151 may be authoritative but known good results from server can be overridden by a known bad result from a local analysis system on device 101 .
  • server 151 stores a list of malware or other undesirable applications that have been detected on the device and which are still active on the device.
  • mobile communication device 101 sends events to server 151 , including whenever it encounters an undesirable application, whenever an undesirable application is removed, and whenever an undesirable application is ignored.
  • the events include identifying information for data objects so that server 151 can correlate the events with known data objects. For example, because a user may choose to ignore malware, it's important for the user to be able to see his or her list of ignored malware to avoid a situation where a malicious user installs malware on someone else's phone and configures anti-malware software on the phone to ignore the malware, preventing the system from automatically removing it.
  • server 151 has data indicating whether device 101 currently has active malware, network access can be allowed or denied to the device depending on its malware state by a network access control system querying server 151 for the state of a given device.
  • server-side or “cloud” analysis may be performed using a version of the three-component system described in U.S. patent application Ser. No. 12/255,621, which is incorporated in full herein.
  • An example of a three-component system is illustrated in FIG. 9 and includes a first component 903 that may be used to recognize data that is safe, or “known good” (also referred to herein as forming part of or being included on a “whitelist”).
  • a second component 905 may be used to recognize data that is malicious, wastes device resources, or is “known bad” (also referred to herein as forming part of or being included on a “blacklist”).
  • a third component 907 is a decision component that may be used to evaluate data that is neither known good nor known bad, i.e., “unknown.”
  • known good component 903 and known bad component 905 may reside on mobile communication device 101
  • decision component 907 may reside on server 151 .
  • known good component 903 , known bad component 905 and decision component 907 may all reside on server 151 .
  • portions of known good component 903 , known bad component 905 and/or decision component 907 may reside on mobile communication device 101
  • portions of known good component 903 , known bad component 905 and/or decision component 907 may reside on server 151 .
  • known good component 903 and known bad component 905 reside on server 151 while decision component 907 resides on mobile communication device 101 .
  • data store 111 may contain malware definitions that are continuously updated and accessible by server 151 .
  • the mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis.
  • Server 151 may contain known good component 903 , known bad component 905 and decision component 907 , or the components may be distributed across two or more servers.
  • the one or more servers may thereby use application data to determine if the suspect data object is a recognizably safe data object. If the suspect data object is recognizably safe, then the one or more servers may notify the mobile communications device or instruct the device that it may accept and process the data object. The one or more servers may then use application data to determine if the suspect data object is recognizably malicious.
  • the one or more servers may notify the mobile communications device or instruct the device to reject the data object and not process it further.
  • the known good and known bad components may have a variety of methods for recognizing known good and known bad data objects.
  • the data, logic, and any other information used by known good and/or known bad components to identify recognizably good or recognizably bad data objects, respectively, may be called “signatures” or “definitions” (explained further below).
  • one or more servers may perform additional analysis to reach a decision as to the disposition of the data object.
  • server 151 contains a decision component that uses one or more analysis systems to analyze application data for the data object and make a determination as to whether the data object is considered undesirable or not.
  • the one or more servers may request that a mobile communications device send additional application data to the server for analysis. For example, a device may initially send a hash identifier, package name, and cryptographic signer information for a data object to a server for analysis.
  • the server may request that the device send the whole data object to the server so that the data object itself may be analyzed.
  • further analysis to reach a disposition for whether a device should accept or reject the data object may be performed by a decision component 907 or manually.
  • the server stores whether or not a given data object needs manual analysis so that an analysis team may easily determine what data objects need to be analyzed.
  • server 151 may use analysis systems to produce store a list of suspicious data objects that need further study.
  • some results from analysis systems on server 151 produce assessments that are transmitted to mobile communication device 101 and others identify data objects as needing human analysis. For example, if server 151 utilizes a set of heuristics to identify malicious applications, some set of the heuristics may be well tested and provide acceptable accuracy in correctly identifying malicious behavior while another set of heuristics may be experimental, requiring human analysis to determine if the results are acceptable.
  • known good component 903 coupled to a database, logic, or other data store containing definitions for known good data objects (e.g., application data such as hash identifiers) may significantly reduce false-positive undesirable application detection and reduce the need to perform computationally expensive analysis or to contact a server for analysis.
  • application data such as hash identifiers
  • use of a known good component 903 may be particularly effective for data that contains executable software code. Executable software code for a given application rarely changes between different mobile communications devices, so creating a database of known good application data or logic for evaluating application data may be an effective method for recognizing safe or trustworthy data.
  • This database may vary in size depending upon the resources available on the mobile communications device.
  • aspects of this disclosure such as the known good component and known bad component, may have access to a remote server with a larger library of application data for known good or bad data objects, such as server 151 coupled to a data store 111 in FIG. 1 .
  • known bad component 905 may have access to a database, logic, or other data store containing definitions for known bad data objects that can be stored on the mobile communications device without occupying a significant amount of memory.
  • virus and other malware or spyware definitions can include application data such as hash identifiers, package names, cryptographic signers, byte sequences, and byte patterns stored in a database or other memory cache.
  • known bad database that complements the known good database stored on mobile communications device 101 .
  • known bad component 905 may be capable of identifying malware using characteristics common to other malicious software code.
  • known bad component 905 When applied to network data or data files, known bad component 905 may have access to a database containing patterns or other characteristics of a protocol data unit or file format which presents a security threat. Known bad component 905 may also identify data that undesirably affects a mobile communication device, such as exposing vulnerabilities, draining battery life, transmitting private or unauthorized information to third parties, or using up unnecessary device resources. Similar to the known good component 903 and database, any data identified as “bad” may be deleted, quarantined, or rejected from further processing by the mobile communications device. If a known bad data object is detected, an embodiment of this disclosure may also display a notification or other message similar to that described in co-pending U.S. patent application Ser. No. 12/255,635, entitled “SECURITY STATUS AND INFORMATION DISPLAY SYSTEM,” filed on Oct. 21, 2008 and incorporated in full herein.
  • Decision component 907 may be used to evaluate data that cannot be characterized as either known good or known bad. Since a majority of the data received on the mobile communications device 101 may fall within this category, this component may reside on server 151 . This component may utilize a variety of methods to produce an assessment for a data object, including using any of the analysis systems disclosed herein. For example, decision component 907 may apply static analysis, dynamic analysis, distribution analysis or other methods of analysis in order to determine whether received data may be passed to its intended destination or rejected to prevent harm from befalling the device. Examples of this analysis are discussed below.
  • known bad component 905 analyzes it. If known good component determines the data to be good, it is allowed. If known bad component 905 determines the data to be bad, it will be rejected from processing 813 . If known bad component 905 does not determine the data to be bad, the data may be analyzed by decision component 907 to reach an assessment for the data.
  • block 801 may involve gathering data sent to or received from the mobile communications device.
  • the data may be analyzed to identify its protocol and track state (block 803 ).
  • known good component 903 resident on the mobile communication device may evaluate the gathered data for known good characteristics.
  • Known good characteristics may include the characteristics previously discussed or described in U.S. patent application Ser. No. 12/255,621. If the data contains sufficient known good characteristics, it may be allowed to proceed to its intended destination (block 811 ) for processing, execution or other operation.
  • the data may be further analyzed by known bad component 905 resident on the mobile communication device to confirm that the data is truly safe (block 807 ). If known bad component determines that the data is truly safe, then the data may be allowed to proceed to its intended destination (block 811 ). Decision component 907 may also be available to provide a final check (block 809 ) before allowing the data to proceed (block 811 ).
  • Analysis of a data object may be performed at any time.
  • the data object may be evaluated prior to access or download, or after download but prior to installation, or after installation, prior to installation of a new version of the data object, or after the installation of a new version of the data object, if the data is an application.
  • a data object that has not yet been downloaded to a device is evaluated by using identifying information about the data object.
  • an application market accessible to a mobile communication device makes applications available for download and provides identifying information about the data object such as a hash of the application's content or a package name for the application
  • software on the mobile communication device can use the identifying information to determine an assessment for the application by evaluating the identifying information locally using any of the systems described herein or by transmitting the identifying information to server 151 and receiving an assessment from the server. In this manner, the software on the mobile communication device can assess whether applications are undesirable or not before a user downloads them.
  • a signal event or security event information log may be updated to record the encounter with the contaminated data.
  • executable data such as applications, programs and/or libraries on the mobile communications device may proceed as illustrated in FIG. 9 .
  • the executable is determined to need to be classified as either good or bad as a result from an attempt to access the executable, installing the executable, or the executable being downloaded or otherwise transferred to the mobile device.
  • the executable may or may not be pre-processed to extract additional application data such as a hash identifier, cryptographic signer, package name or other characteristics before being evaluated by known good component 903 resident on the mobile communication device (block 903 ).
  • This evaluation may include comparing the executable's hash identifier or other characteristics against a database of known good characteristics, identifying whether the executable has sufficient known good characteristics, or any of the criteria discussed above or described in U.S. patent application Ser. No. 12/255,621.
  • the executable If the executable is recognized as known good, then in block 911 , it may be allowed to execute its code or proceed to its intended destination for processing or other operation. If known good component 903 fails to allow the executable data, then known bad component 905 resident on the mobile communication device may perform its analysis (block 905 ). If known bad component 905 confirms that the executable is malicious, then the executable may be quarantined, rejected, or deleted, and the event may be logged (block 909 ). If known bad component 905 is unable to characterize the executable, then the decision component 907 may perform its analysis as described further below (block 907 ). If decision component 907 ultimately determines that the executable is safe, then the executable is allowed (block 911 ).
  • decision component 907 ultimately determines that the executable is not safe, or remains unsure, then the executable may be quarantined (block 909 ).
  • executables may contain code that can cause significant harm to the mobile communications device, it may require more rigorous analysis before the executable is allowed to proceed.
  • known good component 903 and known bad component 905 can be kept lightweight on the resident mobile communication device by only storing definition information about those applications most likely to be accessed by the mobile communication device. As described above, such information may be determined, for example, based upon device data, the applications previously installed on the mobile communication device, and the way the mobile communication device is used (e.g., work versus entertainment, accessing public networks versus private networks, etc.).
  • each mobile communication device may store different definition information, and that an embodiment of this disclosure contemplates such granularity.
  • an embodiment of this disclosure is directed to server-side analysis of data in the event that known good component 903 and known bad component 905 are unable to determine whether the data is safe.
  • decision component 907 resides on one or more servers 151 in communication with the mobile communication device over network 121 , i.e., “in the cloud.”
  • the decision component may rely on one or more analysis systems, such as the analysis systems disclosed herein. Because decision component 907 resides on computing resources that are more powerful than the mobile communication device, it can provide a more robust analysis to determine if data should be considered bad or good for device 101 .
  • analysis that takes place on server 151 can take advantage of data collected by the server to produce an assessment that would not be possible only relying on data available to mobile communication device 101 .
  • decision component 907 on server 151 may determine that a data object is malicious if behavioral data reported by devices indicate that the data object sends premium-rate SMS messages or dials premium-rate phone numbers on devices that it is installed on.
  • decision component 907 utilizes one or more types of internal analysis systems to characterize whether a data object is good or bad.
  • the decision component 907 is designed to detect security threats without specific definitions for the threats being protected against.
  • decision component 907 may operate as an additional security component to compensate for any weaknesses from known good component 903 or known bad component 905 and to identify new threats that have not been previously identified.
  • decision component 907 there are a number of analysis systems that may be utilized by decision component 907 , including but not limited to systems that use heuristic algorithms, rule-based or non-rule-based expert systems, fuzzy logic systems, neural networks, or other methods by which systems can classify a data object. As described above, such systems may use a variety of data available to decision component 907 , including but not limited to distribution data, characterization data, categorization data, trust data, application data, and the like. For example, decision component 907 may analyze applications, libraries, or other executables on a mobile communications device. In an example, the decision component 907 may contain a neural network which analyzes characteristics of an executable and determines a security assessment based on network connection characteristics.
  • Such characteristics may be determined based on information contained in the executable file format or as a result of processing the content of the executable file.
  • the decision component 907 may contain an expert-system which analyzes the behavior of an executable through function calls, system calls or actions an executable may take on an operating system. If an executable calls in a way that signifies malicious behavior, the system may flag that executable as potential malware and action may be taken.
  • decision component 907 may be desirable to update rules or analysis parameters independently of updating the executable code powering the decision component.
  • the decision component 907 contains a virtual machine-based decision system by which an executable can be classified by a set of rules that may be updated independently of the decision component itself.
  • Such a system is able to add new logic to detect certain new classes of undesirable applications on the fly without having to update the whole decision component.
  • the system may pre-process the executable so that the virtual machine's logic can symbolically reference the executable rather than having to process the executable itself.
  • the decision component 907 may consider third party information to evaluate data.
  • a mobile communication device 101 is capable of accessing an application provider, such as Apple's App Store, the Android Market, or other software repository or digital distribution platforms for providing applications available for download and installation on the mobile communication device.
  • server 151 has access to such application providers and can collect information about specific applications. For example, server 151 can search for and collect user-generated reviews or ratings about applications. An application that has favorable ratings may be deemed safe while an application with significantly negative ratings may be deemed undesirable.
  • server 151 may also determine trust data for data objects, the assessment for an application with negative reviews may only indicate that the application is undesirable if the application has a low trust rating while an application with a high trust rating and negative reviews may still be considered desirable by an anti-malware system.
  • decision component 907 may utilize a number of analytical methods in order to fully evaluate the threat level of data received by or transmitted from the mobile communications device.
  • Other examples may be contemplated without departing from the scope of this disclosure.
  • identifying recognizably good data objects and recognizably bad data objects may be performed by a single component rather than by separate “known good” and “known bad” components.
  • a single recognition component performs the functionality of identifying both recognizably good and recognizably bad data objects.
  • a recognition component utilizes definitions to determine an assessment for a data object.
  • the recognition component first examines application data for a data object to determine if any definitions correspond to the data object. For example, if the recognition component has access to definitions that are hashes of data objects' content, a definition that has the same hash as the hash of a given data object's content is determined to correspond to the data object. In another example, if the recognition component accesses definitions that contain byte sequence signatures, a definition with a byte sequence contained in a data object's content is determined to correspond to the data object.
  • Each definition may be associated with an assessment so that the recognition component can examine application data for a data object to determine a corresponding definition, determine a corresponding assessment for the definition, and therefore produce an assessment that corresponds to the data object.
  • the application data for a data object may include identifying information such as the data object's hash, package name, unique identifier, or other application data such as the data object's content.
  • the definitions used by a recognition component represent known data objects. In this case, when the recognition component determines if an assessment for a known data object corresponds to a data object being analyzed, the data object being analyzed and the known data object do not have to be exactly the same.
  • a definition may be created for the first application that matches the first application's package name. If the developer creates a modified application that has the same package name as the first application and the recognition component encounters the modified application, the definition is determined to correspond to the modified application because the package name in the definition matches the modified application's package name. The recognition component then determines that the undesirable assessment for the first application applies to the modified application.
  • a recognition component may access a database of definitions, each definition indicating a hash of a data object's content and an indication of whether a data object to which the definition corresponds is considered to be good or bad.
  • the definitions used by one or more recognition components operating on server 151 are stored on server 151 or on data storage 111 .
  • known good component 903 and known bad component 905 are each implemented on server 151 using a recognition component.
  • a known good component may include a recognition component where all of the definitions accessed by the recognition component correspond to an assessment that a data object is considered to be good.
  • known good and known bad components are each implemented as recognition components that match application data for a data object against known good and known bad application data.
  • a known good component may have a list of known good hash identifiers, package names, and cryptographic signers that it tries to match with data objects being analyzed.
  • a data object has any characteristic in the known good list, it is considered safe.
  • a server may use a similar known bad system that matches known bad application data to application data for a data object being analyzed.
  • Other known good and known bad analysis systems are possible without departing from the scope of this disclosure.
  • the recognition component produces a variety of assessments—not simply “good” or “bad.”
  • the recognition component uses a single assessment instead of storing multiple assessments if all definitions only have a single corresponding assessment, such as in the case where the recognition component only identifies whether a data object is “known bad.”
  • Other variations are also possible without departing from the scope of this disclosure.
  • FIG. 12 illustrates an embodiment of this disclosure used to assess data objects on a mobile communication device.
  • a mobile communication device 101 may first initiate a scan of a data object, such as in the case of a full system scan or when the data object is being executed or installed 1201 .
  • the recognition component evaluates application data for the data object (e.g., package name, hash of data object's content, unique identifier, content of data object) to determine if a definition accessible to the recognition component corresponds to the data object (block 1202 ).
  • application data for the data object e.g., package name, hash of data object's content, unique identifier, content of data object
  • the correspondence may include matching identifying information for the data object to data contained in a definition or matching the data object's content to sequences, patterns, or logic contained in a definition.
  • recognition component determines the corresponding assessment for the data object.
  • recognition component in block 1202 utilizes a data store of definition and assessment information.
  • the definitions stored on the mobile communication device may be pre-populated or populated when the mobile communication device receives the definition and assessment information from server 151 .
  • the definitions stored on the mobile communication device may be considered a cache, the cache functioning as described above. If the recognition component on the mobile communication device determines an assessment for the data object (block 1203 ), that assessment is processed to determine how to treat the data object (block 1204 ).
  • the mobile communication device may disallow the data object from being executed or prompt the device's user to uninstall the data object.
  • the recognition component on the mobile communication device does not determine an assessment for the data object (block 1203 )
  • mobile communication device 101 transmits data object information such as application data (e.g., identifying information, content of the data object) to server 151 (block 1205 ).
  • the server receives the data object information (block 1206 ), and a recognition component on server evaluates the data object information to determine if a definition accessible to the recognition component corresponds to the data object (block 1207 ).
  • server 151 determines an assessment for the data object and transmits it to mobile communication device (block 1209 ). If the recognition component does not determine a corresponding definition or assessment for the data object (block 1208 ), a decision component on the server analyzes the data object information (block 1210 ). If the decision component produces an assessment, then server 151 transmits the assessment to the mobile communication device (block 1209 ). If no assessment is produced by the decision component, then the server transmits an indication that the data object is unknown to the mobile communication device (block 1209 ). Mobile communication device 101 receives the assessment from the server (block 1211 ) and processes the assessment information to determine how to treat the data object (block 1204 ).
  • mobile communication device 101 adds information from the assessment received from server 151 to its local definition cache when it processes assessment information (block 1204 ).
  • the device may store information such as a disposition for the data object (e.g., “known good”, “known bad”, “malware”, “spyware”), an identifier transmitted by server 151 , and definition information generated by the device or transmitted by server 151 (e.g., hash of the data object's content, data object's package name).
  • mobile communication device performs analysis on a data object being scanned using a local decision component on the mobile communication device before transmitting data object information to server 151 in the case where the recognition component on the mobile communication device does not determine an assessment.
  • analysis by the local decision component and transmitting data object information to the server occur in parallel to minimize delay to a user.
  • mobile communication device 101 transmits authentication information such as authentication credentials or session information to server 151 whenever sending information about a data object so that server can associate information exchanged with a particular account on the server.
  • authentication information such as authentication credentials or session information
  • assessments include output from one or more analysis systems (e.g., characterization data, categorization data, trust data, and distribution data) and one or more ratings for a data object (e.g., security rating, privacy rating, battery rating, performance rating, quality rating).
  • analysis systems e.g., characterization data, categorization data, trust data, and distribution data
  • ratings for a data object e.g., security rating, privacy rating, battery rating, performance rating, quality rating
  • assessment information pertains to a wide variety of information which can be used to understand the effects of installing a given data object on a mobile communication device beyond a typical anti-malware system's assessment of whether the data object is malicious or not.
  • this assessment information can be used to guide decisions regarding whether to download and install different types of data objects.
  • Such information can be useful to an individual user trying to decide whether to install a certain application on his mobile communication device.
  • Such information can also be useful to an IT administrator trying to decide whether to deploy a certain application to a plurality of mobile communication devices.
  • a user or IT administrator can use this assessment information for application policy enforcement.
  • server 151 can provide information that details how a data object is estimated to affect a mobile communication device before the data object is installed on the mobile communication device. For example, server 151 can provide estimated battery usage information and/or network usage information for an application.
  • server 151 merges assessments for multiple data objects into a single assessment and transmits the merged assessment. For example, if an application contains multiple data objects (e.g., executable and multiple libraries), a user may wish to see an assessment for the application as a whole, not multiple assessments for its constituent data objects. Similarly, if there are multiple versions of an application (on a single platform or multiple platform) that exhibit similar characteristics, an enterprise policy administrator making a decision about the application may only wish to view a single assessment that encompasses all versions of the application.
  • multiple data objects e.g., executable and multiple libraries
  • server 151 may use application data such as file paths, version numbers, package names, cryptographic signers, installer source, and other information to determine that a group of data objects pertain to a particular version of an application and/or that one or more data objects or group of data objects belong to different versions of an application. For example, if a set of executables are commonly seen in the same directory together, server 151 may determine that those executables are all related to the same application. In another example, if an application package has both a package name and a version identifier embedded in it, server 151 may determine that two data objects with the same package name and human-readable application name but different version identifiers are multiple versions of the same application.
  • application data such as file paths, version numbers, package names, cryptographic signers, installer source, and other information to determine that a group of data objects pertain to a particular version of an application and/or that one or more data objects or group of data objects belong to different versions of an application. For example, if a set of executables are commonly seen in the same directory
  • an embodiment of this disclosure is directed to server 151 including some or all of the same fields in assessments for data objects that run on different platforms. For example, even though the location APIs on different smartphone operating systems are very different in their function, server 151 may perform operating system specific analysis on data objects to produce a cross-platform assessment of whether each data object accesses the device's location. If the assessment were in the form of a list of capabilities for the data object, both a mapping application on BlackBerry and a location-based social network on Android would have the “accesses device location” capability. Similarly, battery usage may be calculated differently on each platform, but server 151 may produce a cross-platform assessment of the estimated daily battery use measured as a percentage of total battery capacity.
  • merged assessments for multiple data objects include information about the range of characteristics and categorization for data objects. For example, an assessment may show a trend in the battery usage of multiple versions of an application. An application that used a lot of battery in an old version but has recently decreased its battery usage may be acceptable while an application that has consistently high battery usage may be unacceptable.
  • An embodiment of this disclosure is directed toward server 151 making assessments for data objects available via a web interface. For example, users may wish to be able to learn more about the characteristics and capabilities of applications they have on their mobile devices.
  • Server 151 may expose, as a web interface, an index of applications for which assessments are available and an assessment for each of these applications.
  • server 151 may organize applications in a variety of ways, such as alphabetically, by their characteristics, by their categorization, and by platform.
  • server 151 may allow a user to search for applications using terms that match the application's name, description, or fields in the application's assessment (e.g., all applications that run on Android OS and send location to the internet).
  • publicly displaying assessments may assist in the transparency of applications.
  • server 151 may direct users to the assessment page generated by server 151 as an independent third-party assessment of the capabilities of an application so that users can verify what the application is doing.
  • server 151 generates a web interface that allows a user to view an application's conditional assessment based on device data (e.g., how much battery does this application use on a Motorola Droid, how much network data does this application use on AT&T Wireless) and compare different conditional assessments (e.g., this application's battery usage on a Motorola Droid vs. a HTC Hero, how much network data does this application use on AT&T Wireless vs. Verizon Wireless).
  • device data e.g., how much battery does this application use on a Motorola Droid, how much network data does this application use on AT&T Wireless
  • conditional assessments e.g., this application's battery usage on a Motorola Droid vs. a HTC Hero, how much network data does this application use on AT&T Wireless vs. Verizon Wireless.
  • server 151 identifies data objects having extreme values for particular assessment values. For example, server 151 may generate a web page identifying which applications use more than 1 gigabyte of network data per month or which applications use more than 10% of a device's battery.
  • assessment data generated by server 151 may be utilized to provide a variety of other products and services
  • an embodiment of this disclosure is directed toward server 151 exposing assessment data via an API. All functionality exposed by a web interface, as described above, may also be exposed as an API so that a variety of products and services may be built.
  • server 151 may provide an HTTP API by which supplying a data object's package name or content hash in the request URL will result in the server returning an assessment for the data object identified by the package name or content hash.
  • server 151 may generate a JavaScript file that can be included by a remote web page and displays an interactive assessment view for a particular data object.
  • server 151 can cause assessment data, such as a rating or disposition as to whether an application is desirable or not, to appear in an application marketplace.
  • assessment data such as a rating or disposition as to whether an application is desirable or not.
  • application marketplaces may be implemented in a variety of ways, such as using a web site, using a mobile client application, using a PC-based client application, and using a messaging service such as SMS.
  • an embodiment of this disclosure will provide objective assessment information for an application or other data object.
  • server 151 may provide an API by which it may be queried for assessment data, or server 151 may proactively analyze all of the applications available in an application marketplace, transmitting assessment data to the marketplace provider.
  • a user can search the application marketplace for only those applications that meet certain desirable criteria, such as security, privacy, device efficiency, trustworthiness, and the like.
  • application providers can use the aggregated information in order to provide quality control measures.
  • the application provider may only feature applications that meet certain battery efficiency criteria, a standard for an acceptable number of crashes or errors, certain network traffic limitations, privacy protections, and the like. In this fashion, an embodiment of this disclosure can improve the offerings on an application marketplace, thereby encouraging developers to create better applications.
  • the assessment information may be used as a certification system, wherein an application meeting certain criteria may be marked with a symbol, badge or other icon denoting the positive assessment for the application.
  • an application meeting certain criteria may be marked with a symbol, badge or other icon denoting the positive assessment for the application.
  • applications that have a high trust rating or applications that only access a minimal set of private information may be considered certified.
  • the certification marker may have a link or other way for a user to retrieve a full assessment from server 151 .
  • server 151 transmits assessment information to mobile communication device 101 for display.
  • a mobile device may have an interface by which a user can explore assessments for all applications installed on the device.
  • the interface may allow a user to view assessment information for a particular application as well as allow a user to view which applications match a set of assessment criteria (e.g., all applications that send the device's location to the internet, the top 10 battery users, all applications that use more than 50 megabytes of network traffic per month).
  • mobile communication device 101 displays an interface as a part of an application marketplace, an application download process, or an application installation process on a mobile communication device so that a user browsing an application available for download or downloading/installing an application sees assessment information for the application.
  • the device When browsing, downloading, or installing an application, the device transmits identification information to server 151 and receives an assessment for the application, displaying some or all of the assessment on a user interface.
  • the interface may display the capabilities of the application or characteristics of the application.
  • the interface may also be interactive, allowing the user to explore aspects of the assessment, requesting additional assessment information from server 151 if necessary.
  • the device may display an indicator of trust for an application, as determined by server 151 and transmitted to device 101 as part of an assessment,
  • the indicator of trust may be displayed in a variety of ways, including as a certification seal (e.g., “LookoutTM certified”) or a rating (e.g., “A+”, “B ⁇ ”, “C+”).
  • a mobile communication device 101 displays a graphical assessment indication for an application.
  • notable aspects of assessments may be displayed as icons or badges for the application.
  • Some examples include badges for being “battery efficient”, being a “battery hog”, “accessing location”, having “spy capabilities”, being a “social network”, and being a “file sharing app”.
  • the badge for each notable assessment may include an illustration making the badge easy to understand and coloration indicating whether the assessment is merely informational or something potentially critical. For example an application being efficient with battery use may have a green icon showing a full battery while an application that typically uses a lot of battery may have a red icon showing an empty battery.
  • assessment information can be updated on application marketplaces and/or mobile communication devices that have cached the assessment information. For example, server 151 may send a notification to the application marketplace or mobile communication device indicating that new assessment information is available. In another example, server 151 may simply transmit the updated assessment information so that old information is overwritten.
  • server 151 may store which applications are currently installed on device 101 , the server can generate a user interface displaying assessments for those applications.
  • server 151 may generate and transmit a web interface allowing a user to view a list of all applications installed on a device, view an assessment for each installed application, and explore which installed applications match particular assessment values (e.g., all applications that can access my location).
  • server 151 may require that a user log in using authentication credentials in order to view assessments for the applications on his or her device.
  • an enterprise administrator may wish to view assessments for a group of devices from a central management console.
  • server 151 generates a web interface that allows a user to view assessments for applications installed on multiple devices.
  • the web interface may allow a user to explore all apps that are installed on a group of devices that match a certain assessment field (e.g., file-sharing applications), view risk rating assessments for the group of devices, view all of the capabilities for applications installed on the deployment, and determine which devices and which apps are causing certain capabilities and risk exposures.
  • a user may start by using server 151 to generate an overall set of security, privacy, and battery risk ratings for the group of devices then click on a rating to view the list of applications most contributing to that risk rating. A user can then view which devices have a given application.
  • a user may start by using server 151 to generate a list of all capabilities for applications installed on the group and then click a given capability to view all of the applications installed on the group that have that capability. From there, the user may further explore which devices in the group have a given application installed.
  • assessments for a group of devices are exposed by server 151 in the form of an API for use by external services such as management consoles.
  • server 151 may expose risk ratings for the group of devices to a centralized security reporting system via an HTTP API.
  • An embodiment of this disclosure is directed to using assessments to make users aware of applications' network or battery usage and alert users in the case of an abusive application.
  • Software on the device retrieves an assessment containing battery and network usage characteristics for an application from server 151 and displays the assessment to the user.
  • a device requesting assessment information from server 151 may include application data for the application.
  • the assessment may be customized for the particular device the user is using by the device sending device data when retrieving the assessment or by sending authentication data that associates the assessment request with previously transmitted device data.
  • the assessment may indicate that an application will likely reduce a user's model of phone's battery life by 5% or 1 hour; whereas a different model phone that has different battery life characteristics may receive an assessment that the same application reduces the phone's battery life by 10% or 3 hours.
  • the assessment display may occur as part of an on-device application marketplace or as a user interface dialog before, during, or after installation of an application.
  • the device collects behavioral data for the battery and network usage of an application and allows a user to view the actual behavioral data from an interface on the device.
  • the interface may allow a user to view a particular application's battery and network usage as well as view the top network and battery using applications in order to identify which applications are contributing to network overage or short battery life.
  • mobile communication device 101 reports behavioral data for applications installed on the device to server 151 and allow the user to view the actual behavioral data via a web interface generated by the server.
  • server 151 One having ordinary skill in the art will appreciate that other characteristics of mobile applications can be monitored and shown to users as well.
  • mobile communication device 101 monitors the network and battery usage of applications installed on the device and notifies the device's user when an application exceeds desirable limits. For example, the user may set thresholds for how much data applications may transmit and receive before he or she is notified. In another example, a user is notified when the device determines that an application will adversely affect the user's battery life or phone bill. If a user typically uses a phone for 20 hours before plugging it in and an application on the device reduces the estimated battery life to less than 20 hours, it's likely that the user will run out of battery. It may then be important to alert the user that there is an action he or she can take to avoid running out of battery, namely uninstalling or otherwise disabling high battery using applications.
  • device 101 or server 151 predicts the future data usage of a device and gathers information about the device's data plan.
  • device 101 or server 151 connects to a network operator's servers to determine data plan information such as the data allocation per billing cycle, what their billing cycle is, and how much data has been used during the current billing cycle. Communications to the network operator's servers may occur in a variety of ways, such as via an HTTP API or SMS messaging.
  • server 151 may analyze typical data usage for applications installed on a device and actual data usage on that device. If an application is newly installed, typical data usage may be used while for an application that has been on the device for months, actual data usage may be used. If applications on device 101 use network data at a rate that would exceed the device's data plan allocation by the end of the billing cycle, software on the device displays an alert indicating the likely overage charges. The alert may also display the applications most contributing to the data usage and give the user to uninstall or reconfigure the applications.
  • Device 101 may report the alert to server 151 which may also send a notification (e.g., via email) indicating the potential for data overage.
  • Software on device 101 or server 151 may display an indication of the current predicted data usage relative to the device's data allocation so that a user may adjust his or her application usage patterns accordingly. For example, if a user is concerned about exceeding his or her data plan, he or she may check what the current predicted data usage is before engaging in a video chat.
  • policy includes blacklists and whitelists.
  • a blacklist is a set of applications or assessment criteria that are explicitly denied from running on a mobile communication device while a whitelist is a set of applications or assessment criteria that are explicitly allowed to run on a mobile communication device.
  • a policy may allow only applications on a whitelist or only applications not on the blacklist.
  • explicit application entries have higher priority than assessment criteria entries.
  • a policy may specify certain capabilities (e.g., sending a device's location to the internet) that are blacklisted but specify certain applications that are whitelisted. In this case, all applications that send location to the internet may be blocked unless they are explicitly on the whitelist because the explicit applications on the whitelist are of higher priority than the assessment criteria on the blacklist.
  • capabilities e.g., sending a device's location to the internet
  • applications that are whitelisted.
  • all applications that send location to the internet may be blocked unless they are explicitly on the whitelist because the explicit applications on the whitelist are of higher priority than the assessment criteria on the blacklist.
  • an embodiment of this disclosure is directed to software on a mobile communication device allowing a user to set policies based on assessment criteria for applications, the software blocking applications that exceed an undesirability threshold.
  • the software requests an assessment for the application from server 151 and receives the assessment from the server.
  • a user may set privacy, security, and battery life policy thresholds individually on a relative scale (e.g., 0 to 10).
  • software on the device retrieves an assessment for the application and compares the application's privacy, security, and battery ratings with the policy thresholds and alerts the user if the application exceeds the configured policy.
  • a user may want to simply be warned of the undesirability.
  • the user can ignore the alert and choose to accept the application anyway.
  • the device displays a user interface indicating that an application is undesirable for the user. For example, a mobile device may display an indication of whether an application being viewed for possible download in an application marketplace meets the user's desirability criteria.
  • software on a device may allow a user to view all applications that do not meet desirability criteria. Such an interface may be useful if a user changes his or her criteria and wants to view applications that are now undesirable given the new criteria.
  • server 151 allows a user or administrator to set policy for a device or group of devices.
  • the device sends a request to server 151 for an assessment of the application.
  • the assessment contains an indication of whether the application is allowed or disallowed and may also contain the policy criteria for why a disallowed application was assessed to be disallowed.
  • policy on server 151 is configurable via a web interface.
  • server 151 allows policy to be configured by assessment criteria as well as on a per application basis. For example, an administrator may use server 151 to block all applications that are in a certain category such as social networking applications or all applications that access certain capabilities such as the ability to transmit files or other sensitive data from a device. In an example, an administrator may wish to only allow particular applications by creating a whitelist, blocking all applications not on the whitelist. In a further example, an administrator may permit all applications other than particular applications that are on a blacklist because they are known to be undesirable. Because the set of applications allowed or denied under a policy may be pre-computed, an embodiment of this disclosure is directed to server 151 generating a set of policy definitions and transmitting the policy definitions to one or more mobile communication devices 101 .
  • server 151 may transmit a list of identifying information for the whitelisted applications to a mobile device so that the device does not need to contact the server for assessments every time it encounters an application.
  • the policy configuration user interface on mobile communication device 101 or server 151 includes an interface for viewing applications that would be blocked or allowed as part of a configuration change. If the configuration change interface is displayed on mobile communication device 101 , the device may send requests for data to server 151 to populate the interface. It may be desirable to show all of the applications allowed or blocked after the configuration change goes into effect or only the difference in applications allowed or blocked between the current configuration and the new configuration.
  • the interface may display summary information and allow a user to search for a particular application to determine whether the configuration change affects that application and whether the configuration change would result in that application being allowed or blocked.
  • the interface displaying the effect of a configuration change indicates whether any popular applications would be blocked. For example, application popularity may be determined based on overall distribution data determined by server 151 or by the prevalence of the application in the group of devices being managed.
  • the change result interface only displays changes that affect applications that are currently installed on at least one device in the group being managed.
  • an embodiment of this disclosure is directed to server 151 maintaining sets of acceptable apps and allowing a user or IT administrator to easily add those sets to a whitelist, the whitelist automatically including changes to the sets of acceptable apps.
  • server 151 may maintain a list of applications that are popular overall or a list of popular applications by application category.
  • the server may present a way to include all popular applications or only popular applications in particular categories (e.g., games, social networks) in the policy's whitelist.
  • such dynamic list policies are of higher priority than assessment criteria entries on blacklists and whitelists but of lower priority than explicit application entries.
  • server 151 may maintain a list of applications with high trust.
  • the server may present a way to include all high-trust applications in the policy's whitelist. Whenever the high-trust list is updated, applications with high trust are effectively considered whitelisted when making policy assessments.
  • server 151 may be desirable for server 151 to supply data to a device management server that actually performs the policy enforcement.
  • server 151 interfaces with a device management server to configure application policy on the device management server.
  • the device management server may support configurable application blacklists and whitelists. If a user sets configuration on server 151 to only allow applications that are on a whitelist or that match certain assessment criteria, server 151 generates the list of applications to be whitelisted and transmits the list of applications to the device management server in a format and over a protocol that the device management server supports.
  • server 151 if a user configures a blacklist on server 151 , the server generates the list of applications that are on the blacklist and configures the device management server to enforce the blacklist.
  • server is capable of configuring multiple device management servers. For example, if an organization supports multiple mobile device operating systems and uses different mobile device management servers, an administrator can configure a cross-platform policy on server 151 (e.g., blocking all file sharing applications). Server 151 may then identify all of the applications across multiple platforms whose assessments match the policy and configure the appropriate application policies on device management servers.
  • server 151 Because each device management server may only support a subset of mobile device platforms that server 151 supports, server 151 only transmits policy information to a device management server that corresponds to data objects that run on operating systems that are supported by the device management server. For example, if a device management server only supports Blackberry devices, server 151 may only configure the device management server's blacklist and/or whitelist with information about Blackberry applications.
  • policy compliance checking can be performed by either server 151 or mobile communication device 101 .
  • server performs compliance checking
  • any compliance settings are stored on server 151 so that any configuration performed on mobile communication device 101 results in that configuration being transmitted to the server.
  • the server includes in the assessment an indication of whether the application is allowed or disallowed by policy.
  • mobile communication device 101 performs compliance checking
  • any compliance settings are stored on mobile communication device 101 so that any configuration performed on server 151 results in that configuration being transmitted to the device.
  • the device receives an assessment for an application, it compares the assessment to the policy configuration to determine if the application is allowed.
  • policy management is integrated with a server-coupled anti-malware system so that signatures and assessments for applications provided by server 151 enable device 101 to block data objects that violate policy. For example, when a device 101 requests for an assessment from server 151 , the server's assessment indicates that an application is undesirable if the application is considered malicious or if it violates policy. In either case, the assessment produced may indicate further information about why the application was found to be malicious or policy-violating. In another example, server 151 may pre-emptively transmit signatures for malicious or policy-violating applications to mobile communication device 101 so that the device can recognize whether a data object is desirable or undesirable without having to contact server 151 .
  • a device 101 has installed an application that violates a protection policy in place on either the device or server 151 or the assessment for an application has been updated to make it violate the protection policy, it may be desirable for remediation actions to be taken by the device or other systems.
  • the server or software on the device can enact remediation actions to occur.
  • either the device or server may determine what remediation actions to take.
  • server 151 transmits an updated assessment to the device including remediation actions for the device to take.
  • server 151 may undertake pre-configured remediation actions such as removing the application. The device may also transmit this behavioral data to server 151 and indicate the policy violation.
  • remediation actions When a device is detected to be violating policy, a variety of remediation actions are possible, for example, any violating applications may have their processes ended, may be uninstalled or isolated from accessing certain system functionality (e.g., internet, private data), or may be restricted from accessing certain networks (e.g., only allowed to access Wi-Fi, not the cellular network). It may also be desirable to isolate the whole device from accessing sensitive resources such as a corporate email or VPN server while it is out of compliance to prevent information leakage. Other remediation actions may include those disclosed in U.S. patent application Ser. No. 12/255,614, filed on Oct. 21, 2008 and incorporated in full herein.
  • server 151 determines whether a group of mobile communication devices is in compliance with application policy and which applications are installed on devices in the group. For example, if mobile communication devices report the applications they have installed and server 151 contains policy configuration, the server can determine which devices currently violate the policy set by an administrator. To allow an administrator to view the compliance status, server 151 may generate a web interface listing whether or not all devices are in compliance and if any devices are out of compliance, how many there are. The interface may also allow the administrator to view specific devices that are out of compliance, view which applications make the devices out of compliance, and initiate remediation actions (e.g., removing an application) remotely.
  • remediation actions e.g., removing an application
  • server 151 presents a one-click remediation action whereby an administrator can click a single button to remotely initiate remediation actions on all devices in the group the administrator is managing. For example, if an administrator managed 100 devices and 10 of the devices had applications that violated policy, the administrator could click the one-click remediation button on the web interface to cause the server to send indications to each of the 10 out-of-compliance devices to remove the undesirable applications without any user intervention required.
  • each device 101 may send an indication to server 151 indicating whether it was successful or not.
  • server 151 may generate an interface by which the administrator can view the status of the remediation.
  • Other methods of server exposing compliance status include server 151 exposing an API (e.g., for use by a security management console) and server 151 generating reports that can be downloaded.
  • mobile communication device 101 transmits information about the installation of a data object to server 151 . If server 151 determines the data object to be undesirable based on universal undesirability characteristics or characteristics for the user, the server transmits a notification. For example, if a user installs an application that is assessed as desirable, but at some point in the future, the application begins to exhibit malicious or other undesirable behavior such as wasting battery, the server may change its assessment to indicate that the application is undesirable.
  • the notification may take a variety of forms, such as an email, SMS message, or user interface dialog displayed on a web page, on a PC, or on a mobile communication device.
  • policies can be set for a specific application, even if the application is available on multiple platforms and has multiple versions. For example, it is not uncommon for an IT administrator to manage a fleet of mobile communication devices running different operating systems.
  • the fleet of mobile communication devices can include iPhones, BlackBerry devices and Android devices.
  • a certain application is known to be undesirable on all three device operating systems, such as a social networking application that can disclose private information, then the IT administrator can block all versions of the application from installation, regardless of platform.
  • an application can share sensitive information on one platform but not others, then the IT administrator can allow installation of the application on only the platforms that don't share sensitive information.
  • An embodiment of this disclosure is directed to server 151 sending a notification in the case of an application that is present on a blacklist or whitelist changing its capabilities or characteristics significantly. For example, if a new version of an application that is on an administrator's whitelist has the capability to transmit files from a user's device while previous versions did not, then server 151 may send an email or text message to the administrator indicating the change.
  • the policy management interface on server 151 may also display a list of applications that may need attention based on changed characteristics.
  • an embodiment of this disclosure is directed to software on mobile communication device 101 or server 151 may provide default policies that account for common use cases. For example, a user may be able to select that they are concerned with battery life and location privacy but they are not concerned with network usage and phone number privacy. By selecting such concerns, the device or server automatically configures policies and thresholds for undesirable applications.
  • server 151 or device 101 contains pre-set policies for compliance with regulations. For example, financial industry or healthcare industry workers may be required to have a particular set of application policies in place to prevent the disclosure of sensitive information. Because the set of applications allowed or denied under these regulations may change over time, server 151 may automatically update the specific policy decisions that enforce the regulation without an administrator needing to specifically configure them.
  • server 151 may generate a list of policy decisions it is employing to comply with regulation and may notify an administrator when policy decisions will change. If an administrator rejects certain policy decisions, he or she may override the default policy set by server 151 .
  • an embodiment of this disclosure is directed to server 151 or mobile communication device 101 presenting a series of questions to a user or administrator, the answers to the questions being used to automatically set policy.
  • the software may ask whether the user has an unlimited data plan, whether the user wants to allow services to access the device's location, and whether the user wants to block all tools that can be used to spy on the device.
  • the device may set policy of whether to block high data usage applications, whether to alert the user in the case of a high data usage application, whether to block applications that send a user's location to the internet, and whether to block espionage applications.
  • a user may desire to tweak policy decisions, while other users may accept the automatically configured policy.
  • server 151 may use information such as behavioral data and other data available to it in order to produce an assessment of whether an application has network access characteristics that may be harmful for mobile networks. For example, an application that receives or transmits a large amount of data, sends a large number of SMS messages, or opens a large number of persistent connections may adversely affect a mobile network's performance. After assessing an application to determine if it is potentially harmful to a mobile network, server 151 stores the assessment. In an embodiment, server 151 notifies an administrator when a potentially harmful application is identified. For example, the notification may be in the form of an email or text message that contains information about the potentially harmful data object.
  • server 151 generates a web interface that displays applications that have been assessed as potentially harmful to a mobile network.
  • the web interface may be designed to support a review workflow so that potentially harmful applications can be further analyzed by an administrator. After examining an application, the administrator may want to take remediation action in some cases while, in other cases, the administrator may want to take no action. If an administrator chooses to take no action, the application will not be considered potentially harmful unless its behavior significantly changes, triggering server 151 to identify the application for re-review. In order to prevent multiple data objects for a given application being repeatedly identified as potentially harmful, if an administrator chooses to ignore an application, all versions of that application will also be ignored, as server 151 can determine whether multiple data objects belong to the same application or other grouping.
  • server 151 If an administrator is aware of a potentially harmful application, he or she can take preemptive measures to avoid serious problems if the application is installed on more devices.
  • server 151 generates a web interface allowing an administrator to take remediation actions for an application that is considered harmful.
  • a variety of remediation actions are possible.
  • server 151 may present an interface allowing the network administrator to communicate with the publisher of the application and work through a resolution for the harmful behavior.
  • Server 151 may extract the publisher's email address from marketpalce data and allow a network administrator to type in a message via the server's web interface that server 151 sends to the publisher.
  • server 151 When server 151 sends the email, the reply-to address in the outgoing email is specially set so that when the publisher responds, server associates the response with the initial message and publishes the response in the web interface for administrator to view and potentially continue the conversation.
  • server 151 generates a web interface allowing an administrator to configure security software installed on a group of devices. For example, the administrator may wish to configure the security software to block the potentially harmful application or isolate the application so that it cannot communicate via a cellular network. If the administrator desires to block the application, server 151 may use a variety of mechanisms, such as those disclosed herein to block the application from being installed on devices or to remove the application if it is already installed on devices.
  • server 151 can identify multiple data objects that correspond to the same application, if an administrator blocks an application, all data objects for the application are considered to be blocked. If an application that was potentially harmful is fixed in a subsequent version, server 151 may allow the administrator to specify a range of versions of the application to block.
  • server 151 may store a set of blacklisted data objects and be able to generate a set of intrusion prevention system or HTTP proxy rules.
  • the rules may attempt to match identifiers used by mobile devices to download data objects from an application marketplace or to identify the content of undesirable data objects as they are transmitted across a network.
  • server 151 generates network infrastructure configuration data to block network traffic associated with undesirable applications.
  • Server 151 generates network infrastructure configuration rules that prevent network communication associated with undesirable applications by server 151 using behavioral data for an undesirable application to characterize the network communications associated with the application and generating rules that block similar network traffic (e.g., traffic to the same IP address, subnet, or hostname).
  • server 151 may analyze how unique the undesirable application's network traffic is relative to desirable applications and only block network traffic that is particular to the undesirable application. For example, if an application communicates with two servers, one which is a well-known server used by a variety of legitimate applications and another which is an unknown server only communicated with by this application, server 151 would treat the unknown server as particular to the undesirable application.
  • server 151 After determining the appropriate network traffic to block, server 151 generates firewall or other network configuration rules to block undesirable applications' network traffic. For example, if a malicious application is using a particular server to exfiltrate sensitive data from peoples' phones, behavioral data for the application may indicate the IP address, port, and protocol used to transmit the sensitive data. When an administrator wishes to block the malicious application's capability to steal data, he or she may see the list of servers the application communicates with and how many other applications known to server 151 typically communicate with that server. The administrator then has the ability to choose which servers to block. After selecting the servers to block, server 151 generates rules that block the network traffic. In an embodiment, sever 151 makes configuration data, such as Snort® intrusion detection and prevention system rules, available for download via a web interface. In an embodiment, server 151 is configured to directly connect with a network infrastructure management system to deploy configuration data.
  • server 151 is configured to directly connect with a network infrastructure management system to deploy configuration data.
  • an embodiment of this disclosure is directed to server 151 producing both aggregate assessments and operator-specific assessments to identify potentially harmful applications and generating a user interface containing both. For example, if an application misbehaves only when running on a device connected to a particular type of mobile network, the aggregate behavioral data may be within normal bounds; however, the behavioral data for a particular network may be harmful. A network administrator may want to view the behavior of an application on the type of network he or she is administrating. Because individual mobile networks may treat different behavior as abusive, a user on server 151 can configure the criteria for considering an application harmful to the network.

Abstract

A server receives from a mobile communication device information about a data object (e.g., application) on the device when the device cannot assess the data object. The server uses the information along with other information stored at the server to assess the data object. Based on the assessment, the device may be permitted to access the data object or the device may not be permitted to access the data object. The other information stored at the server can include data objects known to be bad, data objects known to be good, or both.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This application is a continuation of U.S. patent application Ser. No. 12/868,669, entitled “SYSTEM AND METHOD FOR SERVER-COUPLED MALWARE PREVENTION,” filed on Aug. 25, 2010, which is a continuation-in-part of U.S. patent application Ser. No. 12/255,621, entitled “SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION,” filed on Oct. 21, 2008, now U.S. Pat. No. 8,108,933, and incorporated by reference herein. This application is related to the following co-pending U.S. patent applications: U.S. patent application Ser. No. 12/868,672, entitled “SYSTEM AND METHOD FOR SECURITY DATA COLLECTION AND ANALYSIS,” and U.S. patent application Ser. No. 12/868,676, entitled “SYSTEM AND METHOD FOR MOBILE COMMUNICATION DEVICE APPLICATION ADVISEMENT,” all of which are incorporated by reference herein.
BACKGROUND
This disclosure relates generally to mobile security, and specifically, to detecting and preventing data from adversely affecting a mobile communication device or group of mobile communication devices.
Today's mobile communication devices, such as cellular telephones, smartphones, wireless-enabled personal data assistants, tablet PCs, netbooks, and the like, are becoming more common as platforms for various software applications. A mobile communication device user now has more freedom to choose and install different software applications, thereby customizing the mobile communication device experience. However, while there are many positive software applications available on the market, the ability to interact, install, and operate third party software inevitably leaves the mobile communication device susceptible to vulnerabilities, malware, and other harmful software applications. Unlike desktop computers and other less portable computing devices that can install and run antivirus software to protect against harmful software applications, mobile communication devices lack the processing power or resources for effectively running analogous software.
Third party applications have been developed that provide rudimentary scanning functions on a mobile communication device; however, these applications are often device, operating system, or application-specific. As such, a single universal platform-agnostic system for efficiently monitoring, scanning, remedying, and protecting mobile communication devices does not exist. It would be desirable to provide such a system that works on any mobile communication device, that is hardware and software agnostic, and that can be continuously updated to provide constant real-time protection. Moreover, it would be desirable to provide an adaptable system that can act and react to the demands and changes affecting a number of mobile communication devices, thereby providing intelligent malware protection.
One feature common to many mobile communication devices is the fact that they are constantly connected to a network. However, despite this common link, it is difficult to safeguard mobile communication devices fully at the mobile network level, as devices may connect to additional networks and utilize encrypted services, both of which often bypass network level protection. Rather than rely only on the processing and memory resources of each mobile communication device on the network, it would be desirable to provide a system that protects mobile communication devices remotely, providing malware prevention and analysis measures to multiple devices without the overhead of those measures running locally on each device.
One of the issues that make it difficult to protect mobile communication devices from undesirable applications is the many different types of data and applications that are available for such devices. While service providers are able to manage the network traffic in providing applications, there is no current way to effectively monitor the behavior of these applications after they have been installed on a user's mobile communication device. As a further result, it is difficult to identify new, previously unknown malicious applications by their behavior and to track and prevent the spread or dissemination of damaging applications and data once they have been released to the network. It would be desirable to provide a system that can actively monitor a group of mobile communication devices in order gather data about the installation and behavior of applications on mobile communication devices.
Once such a system is in place, it would be desirable to use data and information gained about mobile communication device applications to help users make more educated decisions about the applications they choose to run on their mobile communication devices and to allow administrators and network operators to take preventative measures to further secure both individual devices and the network as a whole. It would be further desirable to develop a way to anonymously collect data about mobile communication device behaviors and activities in order to promote the development of safer mobile applications.
BRIEF DESCRIPTION OF THE FIGURES
This disclosure is illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which:
FIG. 1 is an exemplary block diagram depicting an embodiment of the disclosure.
FIG. 2 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 3 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 4 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 5 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 6 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 7 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 8 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 9 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 10 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 11 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
FIG. 12 is an exemplary flow diagram illustrating the steps of an embodiment of the disclosure.
DETAILED DESCRIPTION
This disclosure is directed to a system and methods for using a server to provide protection from and removal of undesired applications or other data objects that may affect a mobile communication device or plurality of mobile communication devices, regardless of the make or model of the mobile communication device(s), the mobile communication network, or the software applications present on the mobile communication device(s). As used herein, all of the services associated with the identification, analysis, and removal of potentially undesired applications or other data objects, as well as mobile communication device protection are described under the non-limiting term, “security.” Thus, an embodiment of this disclosure is directed to providing security to a plurality of mobile communication devices, such as a plurality of mobile communication devices for a group of employees, or a plurality of mobile communication devices that access a particular network. An embodiment of this disclosure is directed to safely and securely gathering information about applications on mobile communication devices without taxing individual mobile communication devices or the mobile network and utilizing the information about applications to secure mobile communication devices. An embodiment of this disclosure is directed to using information gathered from mobile communication devices to generate user or device information that can be used to develop future products or services for mobile communication devices.
It should be appreciated that an embodiment of this disclosure can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, a computer readable medium such as a computer readable storage medium containing computer readable instructions or computer program code, or as a computer program product comprising a computer usable medium having a computer readable program code embodied therein. One will appreciate that the mobile communication device described herein may include any computer or computing device running an operating system for use on handheld or mobile devices, such as smartphones, PDAs, tablets, mobile phones and the like. For example, a mobile communication device may include devices such as the Apple iPhone®, the Apple iPad®, the Palm Pre™, or any device running the Apple iOS™, Android™ OS, Google Chrome OS, Symbian OS®, Windows Mobile® OS, Palm OS® or Palm Web OS™. As used herein, the mobile communication device may also be referred to as a mobile device, a mobile client, or simply, as a device or as a client.
In the context of this document, a computer usable medium or computer readable medium may be any medium that can contain or store the program for use by or in connection with the instruction execution system, apparatus or device. For example, the computer readable storage medium or computer usable medium may be, but is not limited to, a random access memory (RAM), read-only memory (ROM), or a persistent store, such as a mass storage device, hard drives, CDROM, DVDROM, tape, erasable programmable read-only memory (EPROM or flash memory), or any magnetic, electromagnetic, infrared, optical, or electrical system, apparatus or device for storing information. Alternatively or additionally, the computer readable storage medium or computer usable medium may be any combination of these devices or even paper or another suitable medium upon which the program code is printed, as the program code can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
Applications, software programs or computer readable instructions may be referred to as components or modules or data objects or data items. Applications may be hardwired or hard coded in hardware or take the form of software executing on a general purpose computer such that when the software is loaded into and/or executed by the computer, the computer becomes an apparatus for practicing the disclosure. Applications may also be downloaded in whole or in part through the use of a software development kit or toolkit that enables the creation and implementation of an embodiment of the disclosure. In this specification, these implementations, or any other form that an embodiment of the disclosure may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the disclosure.
As previously mentioned, security services may be provided to one or more mobile communication devices by a server or group of servers that operate together. There are many possible ways in which multiple servers may operate together to provide security services without departing from the scope of this disclosure. An embodiment of this system is shown in FIG. 1, in which one or more servers 151 communicate with one or more mobile communication devices 101 over a cellular, wireless Internet or other network 121. As mentioned above, mobile communication device 101 may also be referred to as a “mobile client device,” “client device,” “device,” or “client,” and may be referred to in the singular or plural form. The one or more servers 151 may have access to a data storage 111 that stores security information for the one or more mobile communication devices 101. Data, assessment information, information about the mobile communication devices 101, or other objects for storage may be stored on servers 151 and/or data storage 111. Servers 151 or data storage 111 may be singular or plural, or may be physical or virtualized. Data storage 111 may be a database, data table, data structure, file system or other memory store. Data storage 111 may be hosted on any of the one or more servers 151, or may exist externally from the one or more servers 151, so long as the one or more servers 151 have access to data storage 111. In an embodiment, data storage 111 is an external service provided by a third-party, such as the Simple Storage Service (S3) or other products provided by Amazon Web Services, LLC. One will appreciate that the configuration of the system illustrated in FIG. 1 is non-limiting and merely exemplary, and that other configurations are possible without departing from this disclosure.
One will appreciate that communication between mobile communication device 101 and server 151 may utilize a variety of networking protocols and security measures. In an embodiment, server 151 operates as an HTTP server and the device 101 operates as an HTTP client. To secure the data in transit, mobile communication device 101 and server 151 may use Transaction Layer Security (“TLS”). Additionally, to ensure that mobile communication device 101 has authority to access server 151, and/or to verify the identity of mobile communication device 101, device 101 may send one or more identifiers or authentication credentials to server 151. For example, authentication credentials may include a user name and password, device specific credentials, or any other data that identifies mobile communication device 101 to server 151. Authentication may allow server 151 to store information specific to mobile communication device 101 or an account associated with mobile communication device 101, to provide customized services to device 101, and to maintain a persistent view of the security status of mobile communication device 101.
In order to provide security services for mobile communication device 101, one having ordinary skill in the art will appreciate that mobile communication device 101 will transmit certain data to server 151. As will be discussed in more detail below, server 151 will analyze this data and provide a security related assessment, response and/or other action. The following describes the type(s) of data transmitted from mobile communication device 101 to server 151, the analysis performed by server 151, and the action taken with or by mobile communication device 101.
One will appreciate that an embodiment of this disclosure may exist independently on mobile communications device 101, or may be incorporated into an existing security system resident in the mobile communications device such as the one described in U.S. patent application Ser. No. 12/255,614, entitled “SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS,” filed on Oct. 21, 2008, and incorporated in full herein. One having ordinary skill in the art will also appreciate that in order to implement an embodiment of this disclosure on a variety of mobile communications device platforms, it may be necessary to incorporate a cross-platform system such as the one disclosed in U.S. patent application Ser. No. 12/255,626, entitled “SYSTEM AND METHOD FOR A MOBILE CROSS PLATFORM SOFTWARE SYSTEM,” filed on Oct. 21, 2008, and incorporated in full herein. In addition, as discussed further below, aspects of this disclosure may be used to determine a security state for a mobile communications device 101, as described in U.S. patent application Ser. No. 12/255,632, entitled “SECURE MOBILE PLATFORM SYSTEM,” filed on Oct. 21, 2008, and incorporated in full herein.
One having ordinary skill in the art will appreciate that mobile communication devices are exposed to different types of data. This data includes network data, files, executable and non-executable applications, emails, and other types of objects that can be transmitted to, received by, or installed on a mobile communications device. Mobile communication devices also typically transmit and receive data through one or more network interfaces, including Bluetooth, WiFi, infrared, radio receivers, and the like. Similarly, data may be encapsulated in a layered communications protocol or set of protocols, such as TCP/IP, HTTP, Bluetooth, etc. Current server-client security models, such as those currently available for desktop and laptop computers, cannot extend their capabilities to provide adequate assessment and security to a plurality of mobile communication devices.
This disclosure contemplates at least two types of data that can be used to evaluate and protect mobile communication devices. The first type of data includes data about a mobile communication device, i.e., “device data.” Device data pertains to the state, capabilities, operating system, firmware version, memory capacity, available communication ports, battery limitations, hardware characteristics and other “baseline” information that may be common to all similar devices absent user customization. Device data may include the default specifications for a device as it is received from a manufacturer, service provider, or IT service. Device data may include state information common to all similar mobile communications after they have all been upgraded in some fashion. As will be discussed further below, device data may be used to evaluate whether vulnerabilities exist due to unguarded communication ports, operating system exploits, device-specific attacks, and the like.
A second type of data that can be used to evaluate mobile communication devices is data that pertains to a particular application, file, or object that may be installed or run on a mobile communication device. As used herein, this data is referred to as “application data.” Application data includes both data objects and information about data objects, such as behavioral data or metadata. Data objects include application packages that may be particular to certain mobile communication devices. For example, iPhone OS devices typically use IPA files or APP packages, Android OS devices typically use APK files, Windows Mobile devices typically use CAB, EXE or DLL files, and Symbian OS devices typically use SIS files. Devices may also support cross-platform application formats such as the SWF format underlying Adobe's Flash runtime or JAR files that can be run on Java virtual machines.
Application data includes data objects that are malware or spyware, and thereby can negatively affect a mobile communication device. Malware and spyware include applications, files, and other data objects that are purposefully designed to adversely affect or steal information from a mobile communication device. Application data also includes data objects that are not designed for nefarious reasons, but may have coding flaws or other issues that can negatively affect a device. Application data also includes data objects that may be undesirable for various reasons. For example, a data object may be undesirable because it compromises privacy, overtaxes a device's battery or network connection, and/or has objectionable content. As used herein, “data objects” may also be referred to as “data items.” Use of either term is not intended to limit the data to any one form.
Application data includes metadata about data objects. For example, metadata is information about a specific data object, rather than the data object itself. Metadata includes the location on a mobile communication device's filesystem where a data object is stored, a hash of the data object, the name of the data object, a unique identifier present in or associated with the data object such as a GUID or UUID, security information related to the data object such as its cryptographic signer information or level of permissions granted, and characteristics of how the data object is installed on or integrates with the mobile communication device's operating system. Metadata for a data object may also include from where the data object came (e.g., a URL from where it was downloaded, an application marketplace from which it was downloaded, a memory card from where it was installed or stored. Metadata may also be retrieved from an application marketplace. Such metadata, called marketplace metadata, includes information about a data object such as the number of downloads, user comments about the data object, the description of the data object, permissions requested by the data object, hardware or software requirements for the data object, information about the data object's author, the price of the data object, the language or languages supported by the data object, and other information that a marketplace may provide.
In an embodiment, application data also includes behavioral data. Behavioral data includes information about how an application interacts with or uses a mobile communication device's resources, such as memory usage, battery usage, network usage, storage usage, CPU usages, API usage, errors and crashes, network services connected to (e.g., remote host address and port), and runtime library linkage. Behavioral data also includes information about how an application, file or data object, when it is run, utilizes the functionalities of the mobile communication device's operating system, such as notifications and messaging between processes or installed applications.
As will be explained further below, both device data and application data are useful for providing an assessment of the security of a device based upon the data stored (e.g., installed applications) or passing through the device. One having ordinary skill in the art will appreciate that device data and application data are merely examples of the types of data that may used in order to safeguard a mobile communication device or provide other functions related to a mobile communication device. Other types of data may also be evaluated by the disclosed system without departing from the scope of this disclosure. As used herein, the term assessment refers to information relating to a data object that may be used to evaluate or otherwise further understand a data object's operation or effect of operation. For example, an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe, or that an application may appear on a blacklist or whitelist. An assessment may include categorization or characterization data for a data object, ratings such as security ratings, privacy ratings, performance ratings, quality ratings, and battery impact ratings for a data object, trust ratings for a data object, distribution data for a data object. Assessments may result from collecting and/or processing data by server 151 and may be exposed by server 151 to users or other systems via an API, user interfaces, data feeds, or other methods. One will appreciate that the previous description for an “assessment” is not meant to be limiting in any fashion.
A. Device Data Collection
What follows is a discussion about how device data and application data are collected and stored, according to an embodiment of this disclosure. In general, the following discussion includes communications between server 151 and mobile communication devices 101 over network 121. Any data transmitted or received during these communications may be stored on server 151 or on data storage 111. In an embodiment, data stored on data storage 111 or server 151 is associated with a particular account or device known to the system. The association between data and a device or account may allow server 151 to provide tailored functionality for the account or device based on previously received data. In an embodiment, some or all of the data is stored on server 151 or data storage 111 with an anonymous association to a particular account or device. For example, data may be stored with an anonymous association for privacy purposes so that examination of the data on server 151 or data store 111 cannot tie the anonymously-associated data to a particular account or device; however, a device can populate and update this anonymously-associated data. Anonymous associations are described in further detail below. In an embodiment, server 151 will request information from mobile communication devices 101, which will respond with the requested information. In an embodiment, a mobile communication device 101 will transmit device data and/or application data to server 151 for analysis and assessment. For example, a user of mobile communication device 101 may wish to download a file to his device, but prior to installing the file, may wish to send the file or identifying data associated with the file to the server 151 in order to check if the file is malicious or otherwise undesirable. Server 151 will then analyze this received information in order to provide a security assessment that is available to any of the mobile communication devices 101. In another example, it may be useful to know how an assessed data object will affect the performance or behavior of a mobile communication device, the assessment containing information such as average battery impact or average network usage of the data object. In an embodiment, server 151 stores assessments of data objects after analysis and can provide access to these assessments in a number of ways. The analysis performed by server 151 will be discussed further below. The process by which server 151 provides access to assessment information will be also be discussed further below.
To prevent taxing network 121 and server 151 with network traffic, various methods may be used to reduce the amount of data requested by and transmitted to server 151. For example, rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. If the server has previously performed an assessment of the data object identified by the hash, the server 151 may return that previous assessment if it is still valid. If the server 151 has not yet performed an assessment for the data object, the server 151 may return a response indicating that the assessment is unknown and/or request additional data from the mobile communication device 101. One having ordinary skill in the art will appreciate that a hashing algorithm will transform an arbitrary amount of data into a fixed length identifier. For example, the SHA-1 hashing algorithm can digest an arbitrary amount of input data into a 160-bit hash. In another example, metadata besides a hash of the data object may be sent in lieu of a data object itself, e.g., metadata for an application may be sent for an assessment rather than the whole application. In many cases, metadata, such as a package name, application name, file name, file size, permissions requested, cryptographic signer, download source, a unique identifier such as a UUID, and other information may be sufficient as identifying information for a data object; thus, if server 151 receives appropriate identifying information, it can determine if the data object is undesirable. One skilled in the art will appreciate that there are a variety of methods by which a data object can be identified in such a way that can allow server 151 to determine if a data object installed on device 101 is malicious without having to transmit the entire data object to server 151.
In an embodiment of this disclosure, server 151 may request portions of a data object, rather than a complete data object. A whole data object may be transmitted incrementally such that network 121 is not burdened by network traffic. Alternatively or additionally, server 151 may request information about a particular application, but may query a group of mobile communication devices that each has this application. In this manner, server 151 may receive a portion, or “chunk” of data from one mobile communication device, and another portion of data from a second mobile communication device, and so forth, as necessary. Server 151 may then aggregate this information as it is being received, thereby pooling from a number of mobile communication device having the application/file data without taxing any specific mobile communication device. An example of this method is discussed further below.
FIG. 2 is a general overview of the transmission of different types of data between a mobile communication device 101 and server 151. As FIG. 2 shows, in block 201, mobile communication device 101 sends application data to server 151, which receives this data (block 203). In this embodiment, mobile communication device sends identifying or authentication information to server 151 so that server 151 can reference previously stored identifying or authentication information about mobile communication device 101, store and retrieve data associated with the mobile communication device 101, and specifically identify or authenticate mobile communication device 101 amongst other mobile communication devices.
In an embodiment, server 151 sends a notification to mobile communication device 101 (block 205). This notification can be an alert, a message, an instruction or other information related to application data or device data specific to mobile communication device 101. In an embodiment, the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable. In block 207, mobile communication device 101 receives the notification, and in block 209, the mobile communication device 101 takes action based upon the notification. As will be discussed in more detail below, such actions may include deactivating one or more features or applications on the mobile communication device 101.
One having skill in the art will appreciate that the interaction between mobile communication device 101 and server 151 can include communication from the mobile communication device to the server, as well as from the server to the mobile communication device. For example, in an embodiment, server 151 may receive application data from mobile communication device 101, but server 151 may require additional information before providing an assessment or transmitting a notification. In block 211, server 151 may request the additional information from mobile communication device 101. Mobile communication device receives the request (block 213), gathers additional information as requested by server 151 (block 215), then in block 217, transmits the additional information to server 151. In block 219, server 151 receives the requested additional information. One will appreciate that this process may repeat as necessary.
FIGS. 3-7 illustrate the transmission and collection of application data and device data in more detail. FIG. 3 illustrates an embodiment in which server 151 evaluates a change in a data object stored on mobile communication device 101. In FIG. 3, mobile communication device 101 detects a change in a specific data object (block 301). One having skill in the art will appreciate that detecting changes in a data object may involve mechanisms such as intercepting system calls or file system operations, a file system or other data object change listener, receiving an event from a package management system (e.g., PACKAGE_UPDATED and/or PACKAGE_REPLACED intents in the Android™ operating system), and polling for data objects in a file system or other system capable of enumerating data objects. Other techniques for detecting changes may also be used. Alternatively or additionally, the following methods may occur when a change to a data object is detected, upon request by the user of the mobile communication device, or upon a pre-configured schedule for analyzing and assessing data objects on the mobile communication device.
In an embodiment, a change in a data object includes any time a data object is added, removed, or modified. After transmitting application data for a data object, mobile communication device 101 waits for confirmation from the server before recording that it has successfully transmitted application data for the data object. After receiving application data for a data object from a mobile communication device 101, server 151 transmits a confirmation. If there was an error in transmission or with the data itself, server 151 returns an error. If mobile communication device 101 receives an error from server 151, or no response after transmitting application data for a data object, mobile communication device 101 will not record the application data for the data object as having been sent, and the mobile communication device 101 may retry sending the data at some point in the future. One skilled in the art will recognize that mobile communication devices are sometimes unable to connect to a network or may have their network connection interrupted in the middle of a transmission. As such, a mobile communication device 101 recording whether or not server 151 has successfully received application data for a data object is important to the functioning of a reliable data collection system. In an embodiment, any time application data for a data object has not been transmitted from mobile communication device 101 and received by server 151, it is considered to be changed and needs to be transmitted.
In an embodiment, mobile communication device 101 stores whether it has transmitted and server 151 has successfully received application data for one or more data objects present on the device. In order to identify which data objects have had appropriate application data reported to server 151, mobile communication device 101 may store a database containing identification information for data objects that have been successfully reported to server 151 to determine whether the device needs to transmit application data for those data objects. For example, a data object that is a file on a filesystem may be identified by a hash of its contents. When the data object is first installed on a mobile communication device 101, the database may contain no data for the data object. Because there is no identifying information for the data object, the mobile communication device 101 recognizes the data object as new and transmits application data for the data object to server 151 indicating that the object is new. After transmitting application data for the data object to server 151 and receiving confirmation that the server successfully received the application data, the device stores the hash of the file contents and the location on the filesystem where the file resides in the database. If the data object were to be deleted, the mobile communication device 101 can detect that there is no file at the previously stored filesystem location and can report the deletion of the data object to server 151 by reporting the filesystem location and/or hash identification information for the data object. If the file were to be modified, such as in the case of an application being updated, the mobile communication device can detect that there is a file in the previously stored location on the filesystem, but the content hash of the file does not match the stored content hash. In this case, the mobile communication device 101 can report to the server that the data object identified by the file location and/or previous content hash has been updated and report the new content hash of the file.
In an example, a security system installed on mobile communication device 101 may report application data for a data object to server 151 for purposes of receiving an assessment of the data object. If a mobile communication device downloads a new application that is malicious, it is important that the security system detect this new item as soon as possible. Server 151 can analyze the new application and provide a security assessment whereby actions can be taken based on the results. In another example, a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognize this update as different from the first version of the application so that it will produce a new assessment of the second version and not just report the first assessment. Server 151 can analyze the updated application and provide a security assessment whereby actions can be taken based on the results.
In block 303 of FIG. 3, mobile communication device 101 transmits identification information for the mobile communication device to server 151. In an embodiment, the identification information is authentication information. In an embodiment, the identification information is a non-authoritative identifier for the device such as a device ID that is not considered to be secret. In an embodiment, identification information includes device information for the mobile communication device (e.g., make, model, hardware characteristics). In addition, mobile communication device 101 transmits information for the changed data object. Such information may include identifying information for the data object, such as metadata (e.g., hash, package name, file name, file path, cryptographic signer, unique identifier such as a UUID) and the like. In block 305, server 151 receives the identifier for mobile communication device 101 and information for the changed data object. The received data is stored by server 151 on the server or on data storage 111 (block 307). In an embodiment, only some of the data received by server 151 is stored. In block 309, server 151 provides an assessment for the changed data object using any of the techniques disclosed herein or from U.S. patent application Ser. No. 12/255,621, which is incorporated in full herein. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown. In an embodiment, some or all of the received data is stored on server 151 or data storage 111 and is associated with the device that transmitted the data. For example, this may later allow server 151 to determine which applications a device has encountered. In another embodiment, some or all of the received data is stored on server 151 or data storage 111 in a way that server cannot directly tie the information to a particular device. For example, server 151 may store received data without any link to a particular device or account. In another example, data may be anonymously associated with a device by the server associating the data with an identifier when stored. To ensure that server 151 cannot associate the stored data with a particular device, the identifier is only known to the device transmitting the data and is provided to the server whenever the device transmits data. The server does not store this identifier so that the identifier is never directly linked with a particular device or account on server 151 or data store 111. In an embodiment, server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path. In block 311, the assessment is transmitted to mobile communication device 101, which receives this assessment from server 151 (block 313), then processes the assessment or takes appropriate action (block 315).
One having ordinary skill in the art will appreciate that the interaction between mobile communication device 101 and server 151 is dynamic, in that server 151 can proactively transmit notifications or instructions to remediate data objects whose assessment has changed, thereby requiring action by mobile communication device 101. FIG. 4 illustrates such an embodiment. In block 401 of FIG. 4, mobile communication device 101 detects a change in a specific data object. In block 403, mobile communication device 101 sends identification information for the device and information about the changed data object to server 151. Server 151 receives the identification information for mobile communication device 101 and information about the changed data object (block 405). In block 407, server 151 stores the changed data information on the server or on data storage 111. In block 409, server 151 may analyze and assess the changed data object, and may report the assessment to mobile communication device 101 (block 411). As discussed previously, if an assessment has already been performed for the data object, that previously performed assessment may be retrieved and used instead of re-performing the assessment. If server 151 reports an assessment, mobile communication device 101 receives the assessment or other notification in block 413, and processes the assessment (block 415).
In an embodiment, the assessment for the data object may change. For example, a data object that may previously have been assessed as safe or unknown may later be identified as malicious, causing some previously unknown vulnerability, or causing an undesirable behavior such as network overuse or battery drainage. In block 417, if server 151 detects a change in assessment for a previously analyzed data object, then in block 419, server 151 may transmit a notification, remediation instructions or the like to mobile communication device 101. Mobile communication device 101 receives the notification from server 151 (block 421), then performs the recommended actions or remediation instructions (block 423). In block 425, mobile communication device 101 transmits a confirmation that it performed the required actions, which server 151 receives (block 427). In an embodiment, the notification is only sent to mobile communication device 151 if the data object is determined to be present on mobile communication device. In an embodiment, the server 151 stores information on the server 151 or on data storage 111 allowing the server 151 to determine whether the mobile communication device 101 currently has the data object or has previously requested an assessment for the data object.
One having skill in the art will appreciate that FIG. 4 provides only one example of how server 151 may report changes in assessment to a mobile communication device, and some steps may be skipped without departing from this disclosure. For example, mobile communication device may perform remediation instructions or other required actions without sending confirmation to server 151.
In an embodiment, server 151 may request additional information about a particular data object from mobile communication device 101. For example, mobile communication device 101 may send information about a changed data object to server 151; however, the information sent may be insufficient for server 151 to perform a conclusive analysis. FIG. 5 illustrates this embodiment. In block 501 of FIG. 5, mobile communication device 101 detects that a data object has changed, and transmits identification information for mobile communication device 101 with information for the changed data object to server 151 (block 503). Server 151 receives the identification information for mobile communication device 101 and information for the changed data object (block 505), and stores the information for the changed data object on the server or on data storage 111 (block 507). In block 509, server 151 determines whether it requires additional information about the changed data object. For example, server 151 may attempt to assess whether the changed data object is safe or malicious, but is unable to provide a conclusive assessment (i.e., the assessment results in “unknown”). The determination of whether more information is needed can be performed either before the server 151 performs an assessment if there is not enough data to even begin an assessment or after an assessment returns inconclusively due wholly or in part to a lack of data. If additional information is required, then server 151 may request the additional information from mobile communication device 101 (block 511).
In block 513 of FIG. 5, mobile communication device 101 receives the request for additional information, gathers the requested information (block 515), then transmits the additional information to server 151 (block 517). In an embodiment, additional information includes behavioral data for a data object and application data for the data object, such as the content for the data object. In block 519, server 151 receives the additional information from mobile communication device 101, and stores the additional information (block 521). Server 151 may then analyze the changed data object information with the additional information to provide an assessment (block 523), which may be sent to the mobile communication device 101 (block 525). In block 527, mobile communication device 101 receives the assessment of the changed data object from server 151 then processes the assessment (block 529).
In an embodiment, mobile communication device 101 may elect to transmit additional information to server 151. For example, server 151 may analyze a data object, but not provide a conclusive assessment. Rather than requesting additional information from mobile communication device 101, the device may request an additional assessment by providing additional information for the data object to server 151. FIG. 6 illustrates this embodiment.
In block 601 of FIG. 6, mobile communication device 101 detects a change in a data object, then in block 603, mobile communication device 101 sends its identification information and information for the changed data object to server 151. In block 605, server 151 receives the identification information for mobile communication device 101 and the information for the changed data object. This information is stored by server 151 on the server or on data storage 111 (block 607), then analyzed by server 151 to result in an assessment (block 609). In block 611, server 151 transmits the assessment or an appropriate notification to mobile communication device 101. Mobile communication device 101 receives the assessment from server 151 (block 613 of FIG. 6). In block 615, mobile communication device 101 determines whether to send additional information about the data object. For example, server 151 may be unable to produce an assessment for the data object given the data it has available, and thus needs more information to be able to produce an assessment. In block 617, if mobile communication device 101 determines that it should send additional information about the data object, then this information is gathered. In block 619, mobile communication device 101 transmits the additional information to server 151, which receives this information (block 621), and stores the received additional information (block 623). One will appreciate that server 151 will know that the additional information will pertain to the information previously received by server 151 (block 605), since mobile communication device 101 will transmit identification information with the additional information.
In block 625 of FIG. 6, server 151 analyzes the additional information received from the mobile communication device 101. In an embodiment, the additional information may be analyzed with the previously received information (block 605). In block 627, server 151 transmits the assessment to mobile communication device 101, which processes the assessment (block 629). If mobile communication device 101 still needs to send additional information, it may repeat the process as necessary.
As noted previously, server 151 may have access to a plurality of mobile communication devices, some of which may run or store the same application programs or data objects. Requesting data object information from a single mobile communication device can cause network traffic, affecting not only the single mobile communication device, but other devices on the network. In an embodiment, if server 151 requires information about a data object that is stored on more than one mobile communication device, server 151 can gather portions of the required information from each of the mobile communication devices, rather than relying on a single device. FIG. 7 illustrates an embodiment using a first and a second mobile communication device, thereby optimizing data collection from two or more mobile communication devices.
In block 701 of FIG. 7, the first mobile communication device detects a change in a data object. The data object is also found on the second mobile communication device, but may or may not realize the same change. The first mobile communication device transmits its identification information and information for its changed data object to server 151 (block 703). In block 705, server 151 receives the identification information for the first mobile communication device with the information for the changed data object. This information is stored by server 151 (block 709). In block 711, server 151 determines that it requires additional information about the data object. In block 713, server 151 identifies the second mobile communication device that server 151 knows also stores the data object as well as additional information for the data object.
In block 715 of FIG. 7, server 151 requests the additional information for the data object from the second mobile communication device. This request is received by the second mobile communication device (block 717). In response, the second mobile communication device will gather the additional information (block 719), then transmit the additional information to server 151 (block 721). Server 151 receives (block 723) and stores the additional information about the data object from the second mobile communication device on server 151 or on data storage 111 (block 725), then analyzes this additional information with the previously received information from the first mobile communication device to render an assessment (block 727). This assessment is transmitted to the first mobile communication device (block 729), which receives the assessment (block 731) and process the assessment (block 733). One will appreciate that if relevant, server 151 may also transmit the assessment to the second mobile communication device.
In an embodiment, server 151 can gather additional information from multiple devices. In an embodiment, server 151 chooses which devices to request additional information from by analyzing device information and application data previously stored by server. For example, to characterize an application's usage of SMS messaging to determine whether or not it is abusing SMS for spam purposes, server 151 may request the count of SMS messages sent by an application from many mobile communication devices that have previously reported that they have installed the application. In an embodiment, server attempts to analyze a data object to produce an assessment without first waiting to receive information about the data object from a device. Instead, server may receive data from other sources and proactively request information from one or more devices to create an assessment for the data object.
In an embodiment, application data for a data object that is gathered and transmitted by mobile communication device 101 to server 151 may include behavioral data about the data object. Usage of such data by server 151, such as during analysis, is discussed more in depth below. Behavioral data may include information about what the data object did when it ran on the device. Examples of behavioral data include information about network connections caused by the data object (e.g., server names, source/destination addresses and ports, duration of connection, connection protocols, amount of data transmitted and received, total number of connections, frequency of connections, and network interface information for the connection, DNS requests made), behavior of the data object when run (e.g., system calls, API calls, libraries used, inter-process communication calls, number of SMS messages transmitted, number of email messages sent, information about user interfaces displayed, URLs accessed), overhead caused by the data object (e.g., battery used, CPU time used, network data transmitted, storage used, memory used). Other behavioral data includes the context when a particular behavior occurred (e.g., whether the phone's screen was off when the data object sent an SMS message, whether the user was using the data object when it connected to a remote server, etc.).
Because a large amount behavioral data is generated by data objects every time they run, it is important for a mobile communication device not to gather or transmit all of the possible behavioral data; otherwise, the gathering and transmission of behavioral data may over-utilize resources on the device 101, server 151, and the network 121. In an embodiment, mobile communication device 101 limits what type of behavioral data for a data object it gathers and transmits, and how frequently to gather and transmit behavioral data based on the period of time since the data object has last changed. For example, when a data object is first installed on a mobile communication device, the device may gather and transmit the full amount of behavioral data available every day. After one week following installation of the data object, the device may only send a limited subset of behavioral data in weekly intervals. A month after installation, the device may only send a minimal amount of behavioral data in monthly intervals. In an embodiment, if the data object were to be updated (e.g., updating an application to a different version), the device may transmit the full scope of behavioral data daily and reduce the scope and frequency of data gathered and transmitted after one week and/or after one month. In an embodiment, server 151 sends configuration to mobile communication device 101 requesting that the device send specific types of behavioral data at a specific frequency. The device stores the configuration so that it may determine whether to gather and/or transmit behavioral data for data objects. In an embodiment, the configuration information is specific to a particular data object. In an embodiment, the configuration information is for all data objects encountered by the device. In an embodiment, server 151 requests behavioral data for a particular data object from the device so that the server can minimize unnecessarily gathered and transmitted behavioral data.
In an embodiment server 151 can influence the gathering and transmission of behavioral data from device 101 to server 151. For example, server 151 may transmit instructions to mobile communication device 101, requesting behavioral data for a data object only if the server has information indicating that the device currently has the data object, and if the server needs more behavioral data to better assess the data object. In an embodiment, the server 151 determines that it needs more behavioral data for an object based on the number of devices that have already reported behavioral data. For example, the server may require at least one hundred (100) devices to report behavioral data for each data object in order to have a confident assessment. In an embodiment, the difference of the behavioral data reported by different devices is used to determine how much behavioral data is needed for an assessment to be confident. For example, if thirty (30) devices all reported battery usage by a data object within a small variance, the server may not request any more behavioral data for that object; however, if those thirty (30) devices showed a wide variation of battery usage, the server may request behavioral data from two hundred (200) devices.
In an embodiment, a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period. In an embodiment, server 151 can, update bounds on a mobile communication device 101 by transmitting updated bound information to the device. In an embodiment, bounds may be particular to one or more data objects. For example, a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds. For example, a mobile communication device may default to never send behavioral data. When a new data object is installed on the device, the device reports the installation event and metadata associated with the data object to the server. If the server has already characterized the data object through behavioral data from other devices, the server may send bounds to the device specifying the typical behavior of the data object on other devices (e.g., uses less than 100 kilobytes of data per day, never sends SMS messages, never sends email) so that if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a “time-bomb” application that only starts becoming malicious after a certain time.
In an embodiment, data transmitted from mobile communication device 101 to server 151 is configurable in order to protect user privacy; prevent overuse of device, network, or server resources; or for other reasons. Some example configurations include choosing what application data is sent from device 101 to server 151, how often application data is sent, and how application data is re-transmitted should initial transmissions fail. Example configurations may further include transmitting only identifying information (e.g., no additional metadata or behavioral data), never transmitting any application data, never transmitting data object content, only transmitting application data for data objects based on the source of the data objects, only transmitting certain type of behavioral data, only transmitting a certain amount of application data per day, only transmitting one data object's content per day, transmitting behavioral data a maximum of once per day per data object, and the like. One skilled in the art will recognize that additional configurations are possible without departing from the scope of the disclosure. In an embodiment, the configuration may be enforced by a mobile device 101 and/or server 151 by the device only making certain transmissions and/or the server only making certain requests from the device. In an embodiment, the configuration is controlled by one or more parties. For example, the configuration may be automatically set by server 151 or software residing on mobile communication device 101, or controlled by an administrator via server 151, and/or controlled by a user via mobile device 101. In an embodiment, portions of the configuration are controlled by different parties. For example, a user may be able to control whether or not data objects are reported to server 151 but an administrator on server 151 may control the behavioral data reporting frequency for all devices to optimize battery usage of the security system.
In an embodiment, software on a mobile communication device 101 displays a user interface dialog when it receives a request to transmit application data for a data object, such as its content or behavioral data. As discussed above, a request for the data object's content may be for the whole content or for a portion of the content, the request identifying which portion of the content if a portion is requested. The user interface dialog displayed may identify the data object for which application data is to be transmitted, and give the device's user a chance to allow or reject the transmission. In an embodiment, the dialog allows the user to have the device remember his or her decision for future data objects. In an embodiment, the dialog allows the user to view more in-depth information about the application data to be sent, and provides a way for the user to understand the privacy implications of sending the data such as linking to a privacy policy, privacy description, or other content that describes how the data is transmitted, stored, and used. In an embodiment, a mobile communication device attempts to transmit a data object when it receives an indication that server 151 needs more information to produce an assessment. In this instance, the device may display a user interface dialog prompting the device's user to choose whether or not to transmit the data object's content when the device attempts to transmit a data object. In an embodiment, some attempted transmission of certain types of application data, such as a data object's content, results in user interface dialog for confirmation while other types of application data, such as metadata or behavioral data, are transmitted without requiring a user confirmation.
Because a particular application may utilize multiple data objects, it may be desirable for mobile communication device 101 and/or server 151 to group multiple data objects together so that the application can be analyzed as a whole. In an embodiment, mobile communication device 101 or server 151 may perform grouping by comparing application data between multiple data objects. For example, application data that may be used to group data objects includes how data objects were installed (e.g., data objects from the same installer may be grouped), if data objects are linked together at runtime or dynamically, whether multiple data objects are in the same filesystem directory, and if data objects share a cryptographic signer. For example, an application installer may extract an executable and multiple libraries to the filesystem on a mobile communication device. The mobile communication device 101 may use the common installer to consider the data objects grouped and may store the grouping information for use in gathering behavioral data (discussed below). In order for server 151 to recognize the group, each data object's application data may include identification information for the common installer. The server 151 may explicitly store the grouped relationship on server 151 or in data storage 111 to efficiently access the grouping information during analysis.
Because behavioral data cannot always be attributed to a single data object when multiple objects execute together such as in the context of single process, if the device operating system does not support granular behavioral data, or through other mechanisms, it may be desirable for mobile communication device 101 to group multiple data objects together and report behavioral data for the group together. In an embodiment, mobile communication device 101 transmits information indicating that grouped data objects are associated and transmits application data for grouped data objects to server 151 together. For example, if a process on a mobile communication loads multiple components from different vendors and network data can only be gathered on a per-process level, and/or if the process is detected to be connecting to a known malicious server, then it may be desirable for all components loaded in the process to be identifiable by the server to determine the offending component. When the mobile communication device 101 gathers behavioral data (such as the IP addresses the process has connected to) for the process, the device reports identification information for all of the data objects that are associated with the process to the server. When the server receives behavioral data for a group of data objects it may analyze behavioral data from multiple devices and determine that only groups containing a particular data object will connect to the malicious server. Thus, only the data object that results in connecting to the malicious server will be considered malicious. In an embodiment, if a mobile communication device does not provide granular information about the behavior of particular data objects, behavioral data for the device as a whole may be transmitted to the server as representing the group of all data objects installed on the device. For example, if an operating system does not provide per-process battery usage information, devices running that operating system may transmit a list of applications installed on each device and the overall battery life for each device to server 151. The server can then perform analysis on this data to determine which applications are correlated to better or worse battery life and estimate each application's contribution to battery life when installed on a device. In an embodiment where multiple data objects in a group have different behavioral data gathering configurations, the mobile communication device will join the configurations together. For example, if mobile communication device 101 is configured to report a large amount of behavioral data every day for one data object, but is configured to only report anomalous behavioral data for another data object, and the data objects are grouped, the device may join the two configurations and report a large amount of behavioral data for the group. Alternatively, if the second data object is configured to never report behavioral data for privacy reasons, no behavioral data may be reported for the group to satisfy the privacy constraint.
One having skill in the art will appreciate that data transmitted by server 151 or mobile communication device 101, such as metadata, behavioral data, configuration information, behavioral data bounds, grouping data, requests for additional data, notifications, and other forms of data may be formatted using binary formats or non-binary formats. Examples include formatting data in XML, JSON, or as part of a URI. The data may be transmitted using a variety of protocols, including TCP, UDP, DNS, and HTTP. Other formats and/or protocols may be used without departing from this disclosure.
The above are various non-limiting examples of how data is gathered and collected from one or more mobile communication devices. Techniques for optimizing data collection are also disclosed above. As discussed, mobile communication devices 101 will transmit some or all of the above-described data to server 151 for analysis so that server 151 can provide an assessment of the analyzed data. The following section describes non-limiting examples of analysis techniques. One having skill in the art will appreciate that while the examples and disclosure below uses the data gathered using the methods described herein, other types of data may be transmitted and that this disclosure is not limited to the data described herein.
B. Data Collection System
One skilled in the art will appreciate that server 151 may receive data from sources other than mobile communication devices for use in analyzing a data object and producing assessments. FIG. 10 illustrates an embodiment in which server 151 may receive data from multiple sources and transmit assessment information for multiple uses. One or more servers 151 are illustrated as a “cloud” to emphasize that multiple servers may operate in coordination to provide the functionality disclosed herein. One or more mobile communication devices 101 are illustrated as a group to emphasize that multiple devices 101 may transmit and receive information to and from server 151. As disclosed above, one or more mobile communication devices 101 may transmit application data for data objects to server 151 and devices 101 may receive assessment data, requests for more information, notifications, and the like from server 151.
In addition to gathering data from mobile communication devices, server 151 can receive information pertaining to data objects from a variety of data gathering systems. Such systems may be separate from server 151 or may be part of server 151. In an embodiment, a data gathering system directly updates a database or other storage on server 151 or data storage 111 with information for one or more data objects. In an embodiment, a data gathering system communicates with server 151 to provide information to server 151. There are many types of systems that may be used as data feeds to server 151. Some examples include web crawlers 1003, application marketplace data gathering systems 1005, honeypots, and other systems that may feed information related to mobile device applications to server 151.
In an embodiment, a web crawler 1003 downloads data objects that can run on mobile communication devices and retrieves information about data objects, feeding both to server 151. For example, the web crawler 1003 may utilize a search engine to look for web sites that host mobile applications. Once the crawler 1003 identifies sites hosting mobile downloads, the crawler may retrieve web pages available on those sites, examining the content of each page to determine additional pages to retrieve. For example, a page on a mobile download site may contain links to other pages as well as links to download data objects. It may be desirable for data gathering systems to only transmit information to server 151 that is relevant to mobile devices, as there is much content available on the internet that does not affect mobile communication devices (e.g., PC software). In an embodiment, the crawler 1003 can identify if a data object available for download or that has already been downloaded is able to run on a mobile communication device. For example, the crawler 1003 may examine a download URL for a specific string indicating that the URL corresponds to mobile application package (e.g., SIS, APK, CAB, IPA). In another example, the crawler 1003 may examine a data object after it has been downloaded to determine if it affects mobile communication devices and if so, whether it affects a specific mobile platform. In this case, the crawler 1003 may examine the data object downloaded for characteristics such as its name, whether it contains executable code compatible with any mobile platforms, or if it contains data that is typical for a particular mobile device platform. In an embodiment, the web crawler 1003 gathers marketplace metadata about data items and transmits the marketplace metadata to server 151. Some example marketplace metadata includes from which web sites a data object is available for download, user ratings and comments for a data object, the price of the data object if it is available for purchase, the number of times the data object has been downloaded, information about the author of the data object, and other information pertaining to a data object that is available on web sites. As will be discussed below, where a given data object is available can be used to determine how trustworthy a data object is. For example, a data object available from a reputable company's web site may be considered more trustworthy than a data object uploaded on a mobile device forum by one of the forum's users.
Because many mobile applications are only available via mobile application marketplaces, it may be important for server 151 to receive information about data objects that are available in application marketplaces. In an embodiment, an application marketplace data gathering system 1005 retrieves information about a data object, such as the data object's content and marketplace metadata for the data object, from mobile application marketplaces and reports the information to server 151. In an embodiment, the application marketplace data gathering system 1005 is part of server 151. In alternative embodiment, the application marketplace data gathering system is separate from server 151. Application marketplaces are often provided by mobile platform vendors (e.g., Android Marketplace, Blackberry App World, Apple App Store, Nokia Ovi Store) or third parties (e.g., GetJar, Handango) and may use a proprietary API. In an embodiment, application marketplace data gathering system 1005 is configured to communicate with application marketplace servers via a proprietary protocol. In order to transmit the data received from application marketplace servers to server 151 in a manner that is usable by server 151, the marketplace data gathering system 1005 may transform application data for data objects from a proprietary format into a format that server 151 can utilize for analysis. For example, an application marketplace may provide an API to access users' comments and ratings for an application; however, the data returned by that API may be different from another application marketplace's comment data. In another example, an application market may proactively transmit data to marketplace data gathering system 1005 so that the data gathering system does not have to repeatedly query it. To allow server 151 to be able to analyze comment data from multiple application marketplaces, application marketplace data gathering system 1005 may transform differently formatted comment data into a standard format for transmission to server 151. In an embodiment, an application marketplace data gathering system 1005 can search for certain terms in user reviews, such as “battery drain,” “crash,” “privacy settings,” “does not work,” “phone number,” “contacts,” and the like, which can be used to characterize an application as “known bad,” or used to establish the trustworthiness of an application using the system components described herein. In an alternative embodiment, application marketplace data gathering system 1005 can gather all comment data and analysis of the comment data can be performed by server 151. Similarly, server 151 or application marketplace data gathering system 1005 can be capable of recognizing positive reviews or scores for a data object, thereby improving the assessment and/or trustworthiness for the data object.
In addition to automated gathering of data object information, it may be important for server 151 to accept human information 1007. Such information may include subjective trust scores for mobile application vendors, specific keywords or other characteristics, such as heuristics, that may classify a mobile application as suspicious. One skilled in the art will recognize that other types of information related to the analysis of data objects for mobile devices may be provided by a human is possible without departing from the scope of this disclosure. In an embodiment, server 151 provides a user interface by which someone may provide information to server 151 about a specific data object, a group of data objects (e.g., data objects from a particular developer, all data objects on a specific platform), or for the analysis system as a whole (e.g., updated analysis heuristics). In an embodiment, a server separate from server 151 provides a user interface by which someone may provide information about a specific data object, a group of data objects, or for the analysis system as a whole. This separate server may transmit the user-provided information to server 151 where server 151 stores it on server 151 or in data storage 111. In an embodiment, the separate server directly updates data storage 111 with the user-provided information.
FIG. 10 illustrates how server 151 may provide information about data objects to external systems. In an embodiment, information provided by server 151 may be transmitted via an API; provided as a list, a data feed, a report, or formatted data such as firewall or virus definitions; or in other forms. In an embodiment, server 151 provides information about data objects to an application marketplace 1009. For example, server 151 may provide marketplace 1009 with a list of malicious data objects that are present in marketplace 1009. In another example, server 151 may expose an API by which application marketplace 1009 can transmit identification information (e.g., a hash of a data object's content) to server 151 to determine if the data object is considered malicious or otherwise undesirable. In an embodiment, server 151 provides data to network security infrastructure 1011 so that the network security infrastructure 1011 may protect against malicious or undesired applications at the network level. For example, by protecting at the network level, even mobile communication devices that do not have security software installed may benefit from protection. In an embodiment, server 151 transmits threat signatures to network security infrastructure 1011. Such threat signatures may take a variety of forms, for example, hashes of undesired applications, binary sequences for undesired applications, package names of undesired applications, firewall rules to block malicious servers or attackers, and rules for a network security system such as Snort. In an embodiment, server 151 provides data in the form of data feeds 1013. The data feeds 1013 may contain a variety of data available to server 151 or data storage 11 either from server's data gathering or from further analysis (described below), for example, a list of any data objects that use more network traffic than a given threshold to identify misbehaving or abusive applications, a list of the most prevalent malicious data objects, and a list of applications that match criteria such as a set of heuristics for identifying potentially malicious applications.
C. Server-Side Analysis Systems
In order to produce assessments for data objects or other forms of useful output, server may use a variety of methods of analysis. In an embodiment, because server has access to information collected about data objects from one or more sources, server can process the information to produce an assessment for a data object. FIG. 11 illustrates an embodiment in which server 151 aggregates application data for a data object, stores the information, generates characterizations and categorizations for the data object, assesses the data object to produce assessment information, and transmits the assessment information. In block 1101 of FIG. 11, application data (e.g., data object content, metadata, behavioral data, marketplace metadata) is gathered for a data object. Some of the possible methods for gathering and types of data gathered have been discussed above. Such methods may include gathering data from devices, from web sites, from application marketplaces, from people, and from other sources. In block 1103, application data for the data object is stored on server 151 or data storage 111 so that the data may be used at a different time than when it is gathered.
In block 1105, device data is gathered and stored (block 1107) on server 151 or data storage 111. It may be desirable for device data to be linked to the application data for the device that reported so that assessments, categorization, and characterization can take into account the source of the data. For example, if an application only malfunctions when installed on a particular device type, it is important for server 151 to be able analyze application data provided by devices in the context of what particular device type provided the data. In an embodiment, when application data is stored 1103 it is associated with device data for the device that provided it. For example, when a device 101 transmits application data to server 151, the device may transmit authentication information that allows server 151 to retrieve previously stored data for the device 101. If the device 101 has already transmitted device data to server 151, the previously stored device data can then be associated with the new application data. In such a data gathering system, it may be important to protect privacy and minimize individually identifiable information stored by server 151 or data storage 111. In an embodiment, application data for multiple devices having the same device data is aggregated so that the stored data is not linked to a particular device, but rather a set of device data shared by one or more devices. In the design of such a system, it may be important to take into account the balance between granularity of device data and the level to which the aggregated data can be ascribed to a particular device.
As part of analyzing a data object, it may be desirable for server 151 to characterize it and/or categorize it (block 1109). In an embodiment, server 151 stores characterization and categorization data for data objects (block 1111). It may be desirable for characterization and categorization data to be updated as more data becomes available or analysis of the data changes. In an embodiment, server 151 performs additional analysis (block 1109) and updates stored categorization and characterization data (block 1111) for a data object when new or updated data for the data object used by analysis systems is available.
Characterization data includes information that describes a data object's functionality, behavior, and reputation such as its capabilities, metrics for the data object, analyses of other data relating to the data object, and the like. In an embodiment, server 151 produces characterization data about a data object using application data, device data, marketplace data, distribution data, and other data available to server 151. While some methods are described below, one skilled in the art will appreciate that there are other of methods for generating characterization information that can be employed without departing from the scope of this disclosure. In an embodiment, server 151 transmits characterization information as an assessment. One will appreciate that characterization information may be useful for a user to understand when deciding whether to install an application. For example, if a user is considering downloading a game but the user receives an assessment indicating that the game has the capability to send the user's location to the internet, the user may decide not to install the game. In another example, if a user is considering downloading an instant messaging application and is concerned that the application may use a disproportionate amount of battery power, the user may receive an assessment to see the application's average battery usage metric and decide that, based on the metric, the application is acceptable to install. In an embodiment, characterization information is consumed as an input to one or more other analysis systems. For example, an analysis system producing an assessment of the privacy risk of an application may use characterization information to determine if an application has risky capabilities such as sending location or contact list information to an internet server.
Capabilities are one form of characterization data that server 151 may produce. In an embodiment, server 151 extracts capabilities from a data object. In certain mobile operating systems or application environments, applications may request granular permissions to access privileged functionality on a device, such as sending or receiving network data, accessing the phone's location, reading or writing contact entries, and SMS messaging. In an embodiment, server 151 uses data about permissions requested by a data object to determine the capabilities of the data object. Server may determine permission data by a variety of means, including metadata and behavioral data reported by devices, marketplace data, static analysis of data objects, and dynamic analysis of data objects. For example, applications on the Android operating system have to declare permissions at install time, so server 151 may analyze these declared permissions in an application package directly via metadata about an application package reported by one or more devices or via marketplace data to determine permission data.
In an embodiment, server 151 performs analysis of a data object's content to determine what APIs on a device the data object utilizes. In an embodiment, the API analysis may include a search of the data object for data sequences indicating API calls; an analysis of specific library, function, class, or other import data structures in the data object; an analysis of dynamic linker calls; an analysis of calls to local or remote services; static analysis of the data object; dynamic analysis of the data object; and analysis of behavioral data reported by one or more devices. In an embodiment, server 151 utilizes extracted API call information to determine that the application has a particular capability. For example, if an application calls an API to interact with a GPS radio on a device, server 151 determines that the application has the capability to determine the device's location. Although such analysis may detect the vast majority of APIs used by a data object, it is possible that advanced self-modifying code may prevent thorough analysis of a data object. In an embodiment, server 151 detects if the code is, or may possibly be, self-modifying. The capability of a data object to modify itself may signify that the data object is of higher risk than data objects that are more straightforward. While many instances of malware on PCs use self-modifying code to hide from anti-malware systems, copy-protection systems also often encrypt code to prevent unauthorized access; thus, self-modification alone may not be sufficient to classify a data object as malicious, it may be used by an analysis system, in addition to other characteristics, such as behavioral data, to produce an assessment for the data object.
In an embodiment, server 151 analyzes behavioral data to determine capabilities for a data object. For example, server 151 may look for a data object making phone calls, sending SMS messages, accessing the internet, or performing other actions that indicate a particular application capability. In some cases, it is important not only to understand what single functions are utilized by a data object, but also whether an application exchanges data between APIs. For example, an application that uses the internet and can read a device's contact list may have multiple capabilities that have significantly different risks. For example, an address book application that simply uses the internet to check for updates has less of a privacy risk than an address book application that reads contacts and sends those contacts to the Internet. In an embodiment, server 151 analyzes data object to determine if there are code paths by which data returned or produced by one API or service are sent to another API or service. For example, server 151 may perform taint tracking between two APIs to determine whether an application transfers data between APIs. For example, server 151 may determine if there is a code path in a data object by which data returned by any call to the contact API on a mobile device can be provided to any network API on the device. If there is such a code path, server 151 determines that the data object has the capability of sending contacts to the internet. Having such a capability may be more valuable during further analysis by server 151 or by a user than simply knowing that an application accesses contacts and that it accesses the internet. Many applications may use both permissions; however, fewer may actually send contact data to the Internet. A user or an automated analysis system will be able to use the capability of knowing that there is a code path between two APIs as a much stronger indicator of capabilities than less granular capability measurements.
In an embodiment, server 151 runs a data object in a virtual (e.g., simulated or emulated) or physical device and analyzes the behavior of the data object when run. In an embodiment, the virtual or physical device is instrumented so that it reports behavioral data for the data object. In an embodiment, the virtual or physical device's network traffic, calls, and SMS messages are analyzed by server 151. For example, a virtual device may be configured to always report a specific location via its location APIs that are unlikely to occur in any real world circumstance. By analyzing the device's network traffic for various encodings of that location, such as a binary double encoding, base 64 encoding, and text encoding, server 151 is able to determine whether the data object attempts to report the device's location to a server. In an embodiment, server 151 examines the difference in state of the virtual or physical device before the data object is run on the device and after the data object has run. For example, a data object may exploit the kernel on a device upon which it is installed in order to install a stealth rootkit. In this case, a virtual device may show a substantial difference in certain sections of memory, such as in a system call dispatch table, that should not change under ordinary circumstances. In an embodiment, the physical or virtual device has a custom root certificate authority in its list of trusted certificates and server 151 intercepts all TLS traffic, using a server certificate that is signed by the custom certificate authority, and proxies the traffic to its original destination. Because the device has a custom certificate authority, the data object is able to establish a valid TLS connection through server 151 and all encrypted traffic is able to be analyzed by server 151.
Aside from capabilities of a data object, it may be important for server 151 to gather metrics relating to a data object's effect of running on a device or its usage of capabilities on a device. For example, overuse of network data, email, or SMS messaging may be considered abusive or indicative of a malicious or exploited application. In an embodiment, server 151 analyzes application data from many mobile communication devices, such as metadata and behavioral data, device data, and other data it has available to it to produce metric data that characterizes a data object. For example, server 151 may determine how much battery usage an application requires on average for all devices or for a particular device type, how much data a data object sends over any network interface or over cellular vs. Wi-Fi network interfaces, how many email messages or SMS messages a data object sends, how many telephone calls an object makes, and other metrics.
Server 151 may produce other characterization information from what has been described above that may aid in further analysis by server 151 to produce an assessment or that may be exposed directly by server 151. In an embodiment, server 151 analyzes network traffic information associated with a data object to produce network characterization data, such as a list of the servers the data object has connected to, the ports and protocols on those servers data object communicates with, how much data is transmitted to and received from each server, In an embodiment, network characterization information includes what proportion of devices running a particular data object connect to each server. For example, an application that connects to an IM server or a known malicious bot command and control server may connect to only one or a small number of servers on all devices that it is installed on; however, a web browser or application that allows user-specified connections may connect to a very large number of different servers on different devices. In an embodiment, if a data object connects to many different servers, server 151 informs one or more devices to not collect network behavioral data for that data object to minimize unnecessary data reporting. In an embodiment, the network traffic information is gathered as behavioral data from mobile communication devices or gathered by server 151 running the data object on a virtual or physical device.
In an embodiment, server 151 determines whether a data object causes a mobile communication device 101 to access malicious Internet or other public or private networks. For example, a data object that causes a mobile communication device to access a malicious website may subject the device to exploitation. An embodiment of this disclosure allows for resolution of transmitted Inter- or Intranet addresses (e.g., URLs) to determine whether the address will direct the mobile communication device to a safe website, rather than a nefarious website or phishing scam. This information can be stored as it relates to a particular data object.
In order for a user to apply application policy to a mobile device without having to make a separate decision for every single application, it may be helpful to categorize applications so that the user may simply decide which categories of applications to allow or deny. In an embodiment, server 151 categorizes a data object using data it has available such as application data, device data, marketplace data, and characterization data. For example, if a data object is characterized as calling location APIs on a mobile communication device, then server 151 may categorize the data object as a mapping or other location-based application. In an embodiment, categories may directly map to capabilities, such as applications that read your contact list or applications that can send your location to the internet. Other example categories include whether a data object transmits any information from a mobile communication device's contact list, whether a data object causes other data such as a device's phone number to be transmitted by a mobile communication device, and other behaviors that may affect the privacy security of a mobile communication device. In an embodiment, server 151 uses metric data for a data object to categorize it. For example, server may have a category of heavy battery users that includes data objects that typically use more than 10% of a device's battery. Because the categorization may be dependent on device data in addition to characterization data, the category of battery wasters may depend on what type of device an assessment is for. For example, a data object that uses more than 10% of one device's battery may use only 5% of another device's battery.
In an embodiment, if a data object does not directly provide categorization information, server 151 can deduce such information. For example, if a data object communicates with a known instant messaging server, server 151 may determine that the data object is an IM application. For example, applications that connect to servers belonging to a popular social network may be classified during analysis as social networking applications, applications that connect to a known malicious IRC server may be classified as a malicious bot, and applications that drain one or more devices' batteries may be flagged as battery drainers.
Because the categorization of an application may be subjective and difficult to determine automatically, it may be desirable to have one or more persons, internal to an organization or as part of a collaborative community effort, determine categories for an application. In an embodiment, server 151 exposes an interface by which users can suggest categories for a data object. For example, server 151 may define a category of applications that are inappropriate for children, the applications having content that includes pornography or violence. In this example, one or more users can sign in to a community voting system provided as a web application where they can search and browse all applications known to server 151. The list of applications may be populated by marketplace crawling and application data reported by devices. Each application may have a page whereby users can select their recommended category for that application. In an embodiment, the user interface shows information about the data object, such as aggregated application data, characteristics for the data object, and other information available to server 151 so that users can make a decision based on the output of analysis. In an embodiment, the user interface allows a user to select from a list of categories, add new categories, and add tags for a data object. In an embodiment, the user interface has a discussion component so that that people may discuss the appropriate categorization for a data object. In an embodiment, the category for an application is determined by a voting system by which users may select their preferred category for the application, the category selected by the most users being the authoritative category for the application. In an embodiment, the user interface is displayed on a mobile communication device, displays a list of data objects installed on the device, and allows a user to suggest categories for those data objects.
In an embodiment, server 151 processes application data and device data to determine distribution data for a data object. Distribution data may include how widely a given application is currently distributed, what the growth of the application's distribution has been over the period of time that the application has been available, what customer demographics, such as geography, have installed the application, and other functions of the prevalence of an application amongst groups of mobile communication devices. For example, server 151 may examine how many mobile communication devices report having installed a data object at the current time to determine how prevalent that application is. In an embodiment, server 151 uses distribution data to determine trustworthiness of a data object or to analyze a data object for risk, as is discussed below. For example, an application that has been installed on many devices for a long period of time without being uninstalled is likely to be less risky than an application that is brand new and only installed on a few devices.
Because server 151 may encounter legitimate applications that are in development and therefore are not distributed widely, an embodiment of this disclosure is directed to server 151 identifying which applications may be in development, thereby preventing them from being classified as undesirable in an anti-malware or other system. Server 151 may receive application data for a data object indicating that the data object has characteristics inherent to applications in development, such as debugging symbols, debuggable permissions or flags, linkage to debugging libraries, and other characteristics. Applications in development may also be likely to have low distribution or isolated distribution. If server 151 identifies that an application is in development, it may store an indication of the application being considered in development and use the indication to prevent server 151 from assessing the application as suspicious or undesirable or to decrease the likelihood that the server reaches such assessments. In an embodiment, when determining whether a data object should be treated as “in development,” server 151 considers previous data objects encountered by devices that encountered the data object in question. If the devices frequently encounter data objects that are in development, server 151 is more likely to classify the data object as in development. If the devices infrequently encounter data objects in development, server 151 is less likely to classify the data object as under development.
In an embodiment, server 151 establishes the reputation or level of trust for the data object. In an embodiment, the level of trust is determined manually or automatically and assigned to a single data object, multiple data objects that are part of an application, multiple versions of an application, or for all applications from a given developer on one platform or multiple platforms. In an embodiment, trust data is stored by server 151 on the server or in data storage 111 so it may be subsequently used directly or as part of producing an assessment.
In an embodiment, trust is granted via a manual review process for an application. For example, if server 151 deems application to be risky based only on its capabilities (e.g., has access to private data and/or utilizes sensitive APIs), a user viewing the assessment may choose not to download it, even if the application is well regarded. To solve this problem, the application may be assigned a trust rating by manual review. If the review deems the application to be trustworthy, the assessment reports the application as not risky; however, if upon review, the application is determined to be suspicious, the assessment may continue to report the application as risky. Because a reputable application may consist of multiple data objects, may be updated with new data objects, or may have versions for multiple platforms, it may be important to allow a trust rating to span multiple data objects, applications, and even platforms so that a manual review does not need to be completed for every version or file that is part of an application. Similarly, because many reputable software vendors may produce multiple applications that can be assumed to be trustworthy, it may be desirable to automatically grant a high level of trust to data objects identified to originate from those vendors. In an embodiment, server 151 grants a data object a high level of trust if the data object can be attributed to a trusted vendor or trusted applications through data available to server 151 such as the data object's cryptographic signer, package name, or marketplace metadata.
In an embodiment, server 151 uses distribution data and application data to establish trust for an application. For example, if a popular application, such as Google® Maps, is installed on millions of mobile communication devices and there are multiple previous versions of the application all having the same cryptographic signer and similar distribution characteristics, subsequent versions of the application with that cryptographic signer would be deemed to have a high level of trust. If server 151 encounters another application that has the same name as a popular application, such as Google® Maps, is installed on only a few devices, and uses a different cryptographic signer, server 151 may grant the low-distribution application a low level of trust. An anti-malware system may use such data indicating that a data object has low trust to automatically assess a data object as undesirable or to flag it for manual review. In an embodiment, trust data for an application may take into account associated applications such as applications determined to be created by the same developer on the same platform or on different platforms. For example if a company produces an application for one mobile platform that has a large number of users and good ratings, and the company releases a new application on a different platform, the new application may be given a high trust rating based on its association to the first application.
In an embodiment, server 151 analyzes application data to determine if a data object is part of a mobile communication device operating system or preloaded by a manufacturer or operator. In an embodiment, if server 151 determines that a data object is part of a mobile operating system or is preloaded, it is be granted a high level of trust automatically.
In an embodiment, server 151 analyzes user-generated ratings and comments for an application, such as those gathered by application marketplace data gathering system 1005. For example, server 151 may use ratings and reviews to determine a trust rating for the application. If an application has low ratings and negative comments indicating that the application “crashes” or is otherwise “bad”, server 151 assigns the application a low trust rating based on the reputation indicated in its comments; however, if an application has consistently high ratings and many reviews, server 151 assigns the application a high trust rating. In another example, server 151 uses ratings and reviews to as a subjective indicator of application quality for use in producing assessments for the application. If an application has a significant number of reviews with text indicating that the application “drains battery” or “sucks battery”, server 151 determines that the application has the reputation of having adverse battery effects and produces an assessment of the application indicating that.
In an embodiment, server exposes trust data to third-parties via an API. For example, trusted applications may be considered certified by Lookout. In an embodiment, the trust level exposed by the API is binary (e.g., trusted, not trusted), fuzzy (e.g., 86% trusted, 11% trusted), or categorical (e.g., fully trusted, malicious, suspicious, semi-trusted). Mobile application marketplaces may wish to display an indicator of this certification on an application download user interface as a signal that the application has a good reputation. In this case, server 151 may expose an API by which third-parties can supply a data object or identification information for a data object such as a hash identifier, package name, or cryptographic signer. After receiving a data object or enough information to identify one, server 151 responds with an indication of whether the data object is considered certified or not. In an embodiment, the response is an image indicating whether server 151 considers the data object to be certified or not. In an embodiment, the response contains a hyperlink to server 151 whereby a user can verify that the certification for the application is genuine. In an embodiment, the web page referenced by the hyperlink shows additional information about the application, such as why it was considered trusted or not (e.g., through manual review, comments, distribution data), what permissions are requested by the application, characteristics and capabilities the application has, and commentary about the application during manual review.
Using data gathered by server 151 or from an analysis system described herein, server may produce an assessment (block 1113 of FIG. 11). After producing the assessment, server 151 may store the assessment of the data object so that it may be retrieved at a later time (block 1115). Server may then transmit the assessment for the data object (block 1117). For example, server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad, and transmit a response to an API call querying for the assessment of the data object. Such information can be in the form of readable text, a machine readable format, or may include a “score,” a badge, an icon or other symbolic rating. One skilled in the art will appreciate that other situations in which server 151 transmits an assessment for the data object are possible without departing from the scope of this disclosure.
In an embodiment, assessment data includes the output from an analysis system, such as characterization data, categorization data, trust data, and distribution data. For example, an assessment for a data object may include (solely or in addition to other information) detected capabilities for the data object, average battery usage for the data object, average number of SMS or email messages sent by the data object, the most common servers the data object connects to, the average amount of network data for the data object, and trust ratings for the data object. One will appreciate that the above assessment data may be provided as an input to server 151. For example, a network operator or enterprise may operate a server that produces assessment data and feeds it data back to a master server. In another example, users may determine assessment data and provide it to server 151 via an interface such as a web application. In this case, users may provide subjective trust data, risk ratings, a categorization, or other assessment data that may be used by the server. In an embodiment, server 151 combines assessment data received from multiple sources to produce an aggregated assessment. For example, if a malware author attempts to transmit an assessment to server 151 indicating that a malicious application is safe in the hopes of causing server 151 to produce a false assessment, the server may utilize the number of unique sources providing assessments and the trustworthiness of those sources to produce the aggregated assessment. If one hundred assessments are received from different, reliable sources such as network operators and enterprises that indicate the application to be malicious, but ten thousand assessments from a particular unverified source indicate the application to be safe, the server produces an aggregated assessment indicating the application to be malicious.
In an embodiment, assessment data produced by server 151 includes one or more ratings for a data object. For example, an assessment for a data object may include a rating for the data object's privacy by server 151 taking into account whether the application has the capability to send location data, contact data, SMS messages, or files from a device to a server. In another example, an assessment for a data object may include a rating for the data object's security by server 151 taking into account whether there are any known vulnerabilities for the application, whether the application listens for network connections on any ports, whether it meets secure coding guidelines, what the trust level of the application is, and whether there are any anomalies in the application (e.g., stealth code, decrypted code, structural anomalies). In another example, an assessment for a data object may include a rating for the data object's battery impact, such as estimated number of minutes of phone battery life reduction, by server 151 taking into account by taking into account the battery usage data reported by devices. In another example, an assessment for a data object may include a rating for the data object's performance that is produced by server 151 taking into account the average CPU usage of the application and the frequency which the application does not respond to user input events. In another example, an assessment for a data object includes a quality rating that is produced by server 151 taking into account the frequency of application crashes, user comments, user ratings, and the average time the application is kept on devices. In an embodiment, server 151 provides multiple ratings as part of one assessment so as to provide information about a data object along multiple dimensions. In an embodiment, assessments may be binary (e.g., good, bad) or fuzzy (e.g., 100%, 90%, 10%). In an embodiment, multiple ratings are combined into an overall rating.
In an embodiment, server 151 processes multiple data sources available to server 151 to produce a rating for the data object. For example, server 151 may utilize application data, device data, characterization data, trust data, distribution data, and user-supplied data to determine if an application is malicious. The server may utilize a variety of systems or models applied to the data available at the server to produce the assessment. For example, producing an assessment of whether a data object is malicious may involve a malware detection system that includes a heuristic engine that analyzes characteristic data to identify behavior of data objects that are likely to be malicious. Some example heuristics include detecting whether a data object utilizes any capabilities to evade detection by hiding from application enumeration systems on an the OS it is installed on, whether an application attempts to modify itself, whether an application has capabilities associated with known spyware, and whether an application connects to known malicious servers.
One skilled in the art may appreciate that part of the analysis performed at server 151 to produce an assessment may be seen as extracting features for a data object, and another portion of analysis may be seen as applying a model to those features to produce a useful assessment; thus, one may apply a variety of systems, such as artificial intelligence systems or algorithms, to process the features for a data object to reach a desired form of rating or assessment.
In an embodiment, server 151 produces multiple assessments for a data object that take into account different device data or configuration information. For example, if server 151 is configured to produce assessments of whether a data object will function correctly and if a data object malfunctions when installed on one type of device, but functions correctly when installed on another device type, server may produce two assessments for the data object. If server 151 has an API by which a mobile communication device 101 can request an assessment for a data object given identifying information for the data object and the mobile communication device has sent device data to server 151, then server 151 can provide the assessment for the data object that corresponds to the device requesting the assessment. If a device 101 where the data object would malfunction requests an assessment, then server 151 will return the assessment indicating the malfunctioning behavior of the data object on that device 101. If a device 101 where the data object would function correctly requests an assessment, then server 151 will return the assessment indicating the correctly functioning behavior on that device 101.
In an embodiment, an assessment indicates whether a data object is allowed to run on a device given policy set by an administrator. If multiple policies are configured on server 151 and data storage 111 stores which policy is to be applied to a device 101, then a given data object may have multiple assessments that depend on the policy of the device querying for an assessment. For example, if a device with a strict privacy policy requests an assessment for an application that can share a user's location, server 151 transmits an assessment indicating that the application is disallowed. If a device with a lenient privacy policy requests an assessment for the same application, server 151 transmits an assessment indicating that the application is allowed. In an embodiment, assessment data is not stored and only information used to produce the assessment such as application data, device data, distribution information, characterization information, trust data, and categorization information is stored and the assessment is performed upon request by applying policy to the stored information.
Although automated analysis systems may produce acceptable results most of the time, there may be situations in which manual analysis overrides the result of automatic analysis. In an embodiment, server 151 stores manual analysis results for a data object and transmits the manual analysis results as an assessment. For example, server 151 may categorize an application as a social networking application based on its behavioral data; however, the application may actually be a word processing application that allows the user to publish notes to a social network. In this case, a user or administrator may override the categorization for the data object, server 151 storing the categorization and transmitting it in response to a request for an assessment for the data object. In another example, an anti-malware system identifies data objects having certain characteristics as undesirable. It may also be desirable for a user to manually configure server 151 to treat particular data objects as undesirable. Server 151 stores a list of data objects that are considered undesirable and, when asked for an assessment for one of these data objects returns an assessment indicating that the data object is undesirable.
Because it may be desirable for assessments about a data object to reflect the most up-to-date information available, in an embodiment, server 151 first produces an assessment and then updates it if additional application data or device data becomes available or if the analysis system itself is updated. In an embodiment, if a data object is re-assessed (e.g., because of new application data, device data, or updated analysis systems), server 151 stores the new assessment 1111 and transmits it 1113. For example, after gathering device data and application data for a data object from ten devices, server 151 may generate an assessment for that data object. Then, if server 151 receives device data and application data from one thousand more devices, it may re-analyze the data object in light of the new data, producing a new assessment for the data object. If the updated assessment is materially different from the first, actions such as notifying devices or users may be performed by server 151.
C. Anti-Malware System
In an embodiment, server 151 and mobile communication device 101 are configured to function together to prevent malware or spyware from adversely affecting mobile communication devices. Because mobile communication devices are limited in memory, processing ability, and battery capacity, it may be desirable for server 151 to perform analysis, such as the analysis described herein, to determine if an application is considered to be malware or spyware rather than each device performing the analysis. Furthermore, it may be desirable for server to store the results of the analysis so that if multiple devices encounter the same application, the analysis does not need to be repeated. Additionally, it may be desirable for server 151 to collect data about potentially malicious applications, using data collection systems described herein, in order to provide data from a variety of sources for use by analysis systems.
In an embodiment, when mobile communication device 101 assesses a data object, such as an application package or executable, to determine whether the data object is malicious or otherwise undesirable, the device sends a request to server 151 for an assessment of the data object, the request containing identifying information for the data object. In an embodiment, the request transmitted by mobile communication device 101 contains application data for the data object for use by the server in performing the assessment. For example, in addition to transmitting identifying information such as an application's package name and hash, mobile communication device may additionally transmit the permissions requested by the data object and information, such as a list of APIs utilized, determined by the device by performing static analysis.
In an embodiment, mobile communication device 101 gathers metadata for a data object by using operating system provided facilities and potentially additional processing. For example, both the Blackberry and Android platforms provide mechanisms by which an anti-malware application can query the list of packages installed on a device. Each also provides methods to query additional information about the packages such as cryptographic signature information and information about how the packages choose to integrate or expose themselves to the operating system.
In another example, mobile communication device 101 may extract features from a data object to assist in server 151 producing an assessment. In an embodiment mobile communication device 101 performs static analysis on the data object to extract application data to transmit to server 151. For example, on Android, the device may analyze the executable portion of an application packages, typically called “classes.dex”. The device may extract a list of inter-process communication calls directly or indirectly performed by the executable file that utilize the “binder” mechanism and transmit information about the calls to server 151 for use in analyzing the application package.
In an embodiment, server 151 may analyze the data object immediately, or may need to gather additional information using a process such as one disclosed herein. After producing an assessment for the data object, the server transmits the assessment to mobile communication device 101. In an embodiment, the assessment contains an indication of whether the data object is considered undesirable or not. For example, server 151 may transmit one of three assessments, known good, known bad, and unknown. If the server determines that the data object is known to be good (e.g., because it has a high trust level), it will return an assessment that the data object is known good. If the server determines that the data object is known to be bad (e.g., because it is determined to be a piece of malware), it will return an assessment that the data object is known bad. If the server does not have enough information to make a determination, it will return an assessment that the data object is unknown. In an embodiment, the assessment contains a risk level of the data object or a confidence level of the known good or known bad assessment so that mobile communication device or its user can use the risk or confidence level to determine how to classify the data object.
In an embodiment, the assessment transmitted by server 151 to mobile communication device 101 contains information as to why server 151 determined that the data object was undesirable. For example, server 151 may transmit the name of a malware family the data object was determined to belong to or server may transmit an HTTP URL referencing server 151 that mobile communication device 101 can use to display additional information about the data object, the URL containing an identifier that is decoded by server 151 to allow it to retrieve stored information about the data object. The web page may display additional information such as the output from different analysis systems used to produce the assessment. For example, the web page may display distribution information for the data object, information about common servers connected to by the data object, information provided by human analysis of the data object, trust data associated with the data object, information about the geographic distribution of the data object, information about similar data objects, and information about the author of the data object.
It may be desirable to minimize requests mobile communication device 101 needs to send to server 151 for assessments of data objects so that the device minimizes the amount of data it transmits and receives, reduces time required to assess a data object, optimizes battery consumption, and minimizes load on server 151. In an embodiment, a mobile communication device 101 maintains a local cache of assessment information received from server 151. The local cache may be stored using a lightweight database such as SQLite or in a proprietary binary file format that is optimized for assessment storage. For example, the cache may contain an indication as to whether a data object was undesirable or not, a risk level associated with a data object, and definition information such as identifying information for a data object. When a device scans a data object, it can look up the data object's identifying information in the local cache. If an assessment for the data object is cached, that assessment is used. If an assessment is not cached, the device retrieves an assessment from server 151. In an embodiment, when a mobile communication device inserts an assessment into its cache for a data object encountered on the device, it generates definition information for the data object. For example, a device may use the hash of a data object's content to ensure that it caches assessment results from a server. In an embodiment, server 151 transmits definition information with an assessment so that mobile communication device can apply the assessment to the appropriate set of applications. For example, in some cases server 151 may indicate that an assessment only applies to a specific data object identified by a hash of its contents while in other cases the server may indicate that an assessment applies to all data objects signed with the same cryptographic key.
In an embodiment, a mobile communication device 101 stores a local cache of definitions for known good data objects and known bad data objects for use by a recognition component (described below) operating on the mobile communication device. Using the recognition component, the mobile communication device can determine an assessment for a suspect data object if the local cache contains a definition and corresponding assessment that corresponds to the suspect data object. For example, the definitions may use criteria such as hash identifiers, package names, and cryptographic signers to match a data object. Each definition may have a corresponding assessment (e.g., “good”, “bad”). If a definition matches a suspect data object, the definition's assessment is used for the suspect data object. If no definitions correspond to the data object, such as the data being recognized as safe or not safe, then the mobile communication device 101 may transmit application data for the suspect data object to server 151 for more comprehensive analysis.
In an embodiment, the cache is used as the primary storage of anti-malware definitions that determine whether anti-malware software on mobile communication device 101 will recognize a data object as malicious or not without having to consult server 151. In an embodiment, the cache stores definition information used by a recognition component on the device. For example, the cache may contain definition information such as package names, cryptographic signers, byte sequences, patterns, or logic that is used to match data objects on a device with cached assessments. If the cache contains an entry linking a particular byte sequence to an assessment of being a malicious application and a data object on a device contains that byte sequence, then the device will determine that data object to be malicious without having to contact server 151. In an embodiment, the cache only contains definition information, all definitions corresponding to a single assessment of a data object being malicious. In an embodiment, the cache may contain assessment information, the assessment information possibly containing an identifier, as discussed above, which can be transmitted to server 151 in order for the device to retrieve information for display to a user. Such an identifier being used to retrieve data from server 151 allows the cache to minimize the information it stores about potential malware. In an embodiment, a device cache serves as both a whitelist and a blacklist. The cache contains definition information for known good and known bad data objects so that if a data object is determined to be known good or known bad, the device does not need to request an assessment from server 151. In an embodiment, the cache that serves as both a blacklist and a whitelist is used by a recognition component on the mobile communication device to determine if data objects are recognizably bad or recognizably good. If a data object encountered by a device is neither recognizably good nor recognizably bad based on definition data stored in the cache, then the device may transmit application data for the data object to server 151 so the device can receive an assessment for the data object from the server. In an embodiment, anti-malware software on a mobile communication device is installed with a pre-populated cache of definitions that are modified by the device as it receives new assessments or stored assessments are deemed to be invalid.
In an embodiment, assessments and definitions cached on a device are only considered valid for a period of time so that the mobile communication device does not rely on data that is potentially out of date. In an embodiment, cached assessments and definitions are stored indefinitely and considered to be valid without time constraint. In an embodiment, a device only stores certain types of assessments and definitions. For example, a device may only cache known good assessments or may only cache known bad assessments. In this case, definitions are only stored if they have a corresponding assessment. In an embodiment, part of the cache is stored in volatile storage, such as RAM, and part of the cache is stored on non-volatile memory, such as flash. Because volatile memory is typically more limited yet much faster than non-volatile memory, a device may store frequently accessed assessments and definitions in volatile memory while less frequently accessed assessments and definitions in non-volatile memory. For example, if an anti-malware system analyzes data objects every time they are opened, it may be desirable to very quickly determine an assessment for a data object if it has been recently scanned and not changed. By storing a recently used definition and assessment in volatile memory, the device can recall the previous assessment very quickly.
In an embodiment, server 151 transmits cache control information with an assessment, indicating whether the device should cache it and, if so, for how long. For example, server 151 may transmit an assessment for a popular application from a reputable company, including cache control information indicating that a device should cache the assessment. If server 151 transmits an assessment for a lesser-known application, it may include cache control information indicating that a device should not cache the assessment, as the application may turn out to be considered undesirable in the future after more is known about it. In an embodiment, server 151 determines cache control information based on the confidence of an assessment. For example, known good assessments for applications that have a high trust level may be considered to be highly confident while assessments indicating that an application is unknown due to lack of data available to the server may not be considered confident. In an embodiment, when an assessment expires, cached definition information associated with the assessment is also expired.
Because retrieving cached assessments is faster than retrieving assessments from server 151 (thereby minimizing the delay and overhead with determining whether a data object is malicious or not), it may be desirable to maximize the number of assessments that can be determined locally from cached data. In an embodiment, server transmits assessments to a mobile communication device without the device requesting the assessments and the mobile communication stores these assessments in its cache. Because all of the assessments available to server 151 may require more storage than is desirable on mobile communication device 101, server may only transmit a subset of its available assessments. In an embodiment, server 151 determines which assessments to transmit to mobile communication device 101 by analyzing device data and application data. For example, server 151 may store the operating system a data object is compatible with associated with assessments for data objects in such a way that the server can query for all of the assessments related to a given operating system. Server 151 may then only transmit assessments to a mobile communication device that are for data objects that are compatible with the operating system the device is running. The other assessments would not be transmitted to the device because the data objects referenced by the other assessments are not able to run on the device's operating system. In another example, server may use a device's country, language, or area code to determine what assessments to transmit to the device. Users in the United States are unlikely to download Russian-language applications, just as users in Russia are unlikely to download Spanish-language applications.
In an embodiment, server 151 stores which assessments it has already transmitted to a device and the device has successfully received so that assessments are not unnecessarily re-transmitted. If a device has not received assessments that are desired, the server transmits the assessments the next time the device connects. In order to efficiently track which assessments have already been received by a device, server 151 may group assessments, such that a given device receives all assessments in one or more groups. For example, a given group of assessments may have changes (e.g., new data objects being assessed, changes to existing assessments) multiple times per day; however, a device may be configured to receive updated assessments only once per day. To determine what assessments to transmit to a device, server may record the time when a device has last received up to date assessments for a group and only examine changes to the group since the device has last received assessments. For example, if a device receives all of the assessments for a given group on Monday and two new assessments are added to the group on Tuesday, then, if the device connects on Wednesday, the server only needs to query what assessments have changed in the group since Monday and will determine that it needs to transmit just the two added assessments. In an embodiment, server utilizes a push service such as one described herein to alert a device that there are additional assessments that server is ready to transmit to the device. When using such a push service, when server updates assessments that are part of a group, all devices that receive assessments from that group can be updated with the latest assessments nearly immediately.
There are a variety of ways in which assessments can be grouped by server 151 in order to selectively transmit assessments to a device. For example, there may be more assessments for data objects compatible with a given operating system than it is desirable to store on a device. In this case, the server may produce a group of assessments that correspond to the most prevalent data objects, based on distribution data or market data available to server 151. In this case, devices will cache assessments for the data objects they are most likely to encounter. It is also possible to further improve the likelihood that a device has assessments cached for data objects it encounters by server 151 analyzing the application data available at the server corresponding to the data objects previously encountered by the device and predicting, based on those previous encounters, what data objects the device is likely to encounter in the future. Assessments for these likely data objects can then be transmitted to the device.
Because the optimal amount of assessment data to cache on a device may be different depending on a device's hardware, user behavior, or user preferences, it may be desirable for that amount of data to be tunable. In an embodiment, the amount of assessment data to cache on a mobile communication device 101 is determined by server 151. For example, server 151 may examine the amount of storage available on a device, the frequency by which a user downloads applications, and how likely additional cached assessment data will be to reduce the number of required assessment requests transmitted by the device. If a device has a lot of available storage and its user downloads a lot of applications, then the server may determine to cache a large amount of assessment data; however, if a device has little available storage and its user rarely downloads applications, then the server may determine to cache only a small amount of data or no data. The server may also examine previous assessment requests made by the device to determine if those requests could have been avoided by the device caching additional assessment information. For example, if a device currently receives assessments belonging to a particular group of applications and the server is evaluating whether device should receive assessments for an additional group of applications, the server examines previously assessment requests to determine how many of those assessments were in the second group. If server 151 determines that enough of the assessments requests would have been avoided, then it will start transmitting assessments from both groups to the device. In an embodiment, a user can control the amount of storage to allocate to cached assessments on a mobile communication device 101.
Instead of always producing an absolute assessment (e.g., known good or known bad), it may be desirable for server 151 to report that it does not yet have an assessment. In an embodiment, server 151 transmits an assessment for a data object indicating that the object's undesirability is unknown. When mobile communication device 101 encounters a data object, it transmits a request to server 151 for an assessment, and receives an unknown assessment, the device temporarily trusts the data object and retries the request for assessment at a later time. In order to avoid unnecessary requests, the device increases the time delay between retries if it continues to receive unknown assessments. During such a period of temporary trust, the device does not re-transmit an assessment request every time a data object is scanned. For example, in an anti-malware system on a mobile device designed to scan files on a file system when they are accessed, the first access to a data object may result in the device transmitting an assessment request to server 151. If the server returns an unknown assessment, then the device stores a temporary entry in its assessment database indicating identifying information for the data object, a temporary assessment indicating that the data object is allowed, and the time period the assessment is valid for.
In an embodiment, server 151 transmits information about a data object in an unknown assessment and mobile communication device 101 uses the data assessment from server 151 as an input into a local analysis system. For example, mobile communication device 101 may have a heuristic system that analyzes the content of a data object to determine if it is malicious. In the case of a known good or known bad result from server 151, then the device either does not run the heuristic system or discards the result from the heuristic system. If server 151 returns an unknown result including a trust level for the data object, device 101 combines result from the heuristic system with the trust level provided by the server to determine whether to treat the data object as undesirable or not. For example, mobile communication device 101 may scale the result from local analysis based on the trust level reported by server 151. If a heuristic system on the device determines that a data object is 66% risky and an unknown assessment from server 151 indicates that the data object has a suspicious 1% trust level, the device determines that the data object is undesirable; however, if the unknown assessment from server 151 indicates that the data object has a 70% trust level, then device 101 determines that the data object is desirable.
In order to respond to undesirable applications, such as malware and spyware, as soon as they are identified as such, it may be desirable for server 151 to transmit notifications to mobile communication device 101 about data objects that are determined to be undesirable after previously being classified as good or unknown. In an embodiment, server 151 stores information about data objects encountered by mobile communication device 101 so that if a data object encountered by the device was assessed to be good or unknown but was subsequently determined to be undesirable, server 151 may determine all of the devices that have encountered the data object and transmits a notification indicating that the data object is undesirable. In an embodiment, server 151 only transmits a notification to device 101 if the data object that is the subject of the notification can operate on the device's operating system. For example, if a device runs Blackberry and has encountered an Android spyware application, server 151 would not transmit a notification to the device; however, if the device encountered a Blackberry spyware application, server 151 would transmit a notification. As disclosed herein, the determination of whether a data object can operate on a given device may be determined by analyzing device data for the device and application data for the data object.
In an embodiment, the notification transmitted from server 151 to device 101 is designed to be consumed by the device and includes both identification information and remediation information for the data object. For example the notification may utilize a push service provided by a platform vendor and include the package name and content hash for a data object. The notification may also specify a remediation action such as “killing” any processes containing the data object, requesting for a user to uninstall the data object, and deleting the data object without user intervention. In an embodiment, the notification includes information for display to a user about the data object such as remediation instructions, an explanation for why the data object is considered undesirable, or a request to take a particular action. In an embodiment, the notification is in the form of a human readable message, such as a text message, email, or telephone call. It may be desirable for server to perform both human readable and machine readable notification to ensure that a user responds to a dangerous data object. For example, server may transmit an email message to a user and transmit a notification for the device to remove the data object without user intervention.
In an embodiment, mobile communication device 101 contains a database of all data objects that are present on the device and server 151 transmits updated signature data to the device when a data object encountered by the device is determined to be undesirable. When the device receives the updated signature data, it compares the updated signature data to data objects present on the device. If any objects that are present on the device are considered by the updated signature data to be undesirable, then the device immediately initiates remediation actions, not waiting for the next time the data object is scanned.
If an anti-malware system performs an assessment for a data object, it may be desirable to trust the data object as long as it hasn't changed to avoid having to re-assess the data object. In an embodiment, mobile communication device 101 maintains a list of data objects identified that have been analyzed and are considered to be desirable. When a data object is desired to be scanned, the device may first check this list to see if the data object is present. If the object is present, the device does not re-scan the object. After scanning a file and determining it to be desirable, the device places an identifier for the data object in the list. Example identifiers include a file name, filesystem node identifier, or operating system specific data object handle. In an embodiment, the mobile communication saves this list of data objects to non-volatile storage so that the list can be preserved even if the device is rebooted or runs out of battery. When storing assessments and later accessing them, it's important that any stored assessments are valid only for a particular set of data object content. If the data object's content changes, a different assessment may be necessary, as the data object may have been modified to include malicious code that was not present in the original data object. In an embodiment, the list contains a cryptographic hash of the content of the data object. When the device determines whether the data object is considered to be on the list, it compares the hash of the data object as stored on the device with the hash stored in the list. If the hash matches, the data object is considered to be on the list. In an embodiment, the anti-malware software can determine when files are opened and closed. If a file on the list is opened with write access, then it is removed from the list. While there are open writers to the file, the file cannot be added to the list.
One will appreciate that an embodiment of this disclosure contemplate other ways for reducing network traffic while providing sufficient options for securing mobile communication devices. In an example, a mobile communication device can request an analysis of all of the data resident on the device (a “scan”) when the mobile communication device first starts up or powers on, or when the application responsible for monitoring the mobile communication is first launched. This provides a baseline analysis of the security of the mobile communication device. Future scans may be performed when new applications are accessed by the mobile communication device, or at pre-set time intervals, or upon user request. Scans may be adjusted depending upon the access to network 121. If connectivity is an issue, then only newer data may be assessed, or suspect data. Scans may be queued and performed when connectivity improves.
In an embodiment, an anti-malware system on mobile communication device 101 has the capability to perform both an on-demand and a scheduled scan of all data objects present on a device. If the anti-malware system utilizes server 151 to perform assessments for the data objects, it may be desirable to optimize the time required to perform the scan. Because network latency causes a delay between the time a request for an assessment is transmitted by a device and the time the device receives a response from server 151, it may be desirable to pipeline requests in such a way that the device does not simply idle while waiting for a response. In an embodiment, mobile communication device transmits a request to server 151 to provide assessments for multiple data objects and server 151 transmits assessments for those multiple data objects to the device. For example, during an on-demand scan, a device may be configured to first enumerate all of the data objects on the device and then send a request to server 151 to assess all of the enumerated data objects. In another example, a device may enumerate ten data objects at a time, then send a request to the server and receive a response for those ten data objects before scanning additional data objects. In another example, a device may enumerate data objects and transmit assessment request, continuing the enumeration process without waiting for assessment responses from the server. The device may only wait for responses when the enumeration is complete.
In an anti-malware system that blocks the loading or executing of a data object until the system has reached a disposition, it may be desirable to assess a data object before it needs to be loaded or executed. In an embodiment, mobile communication device 101 proactively scans data objects and stores the results so that when the data object is loaded, the device can reference the previous scan result. For example, when a device loads a program that depends on multiple other files (e.g., an executable that is linked to shared libraries), an anti-malware system on the device may analyze the program to determine all of the libraries it depends on, send a request to server 151 for assessments for the program and its dependent libraries, and then allow the program's execution to proceed once the device receives positive assessment results. When the device's operating system loads the libraries the application depends on, no request to server 151 is needed because the system already has up-to-date assessments for the libraries. If the libraries were not proactively analyzed, the total load time for the program could be greater as the device may have to wait for multiple requests to server 151 to occur in serial. In an embodiment, software on a mobile communication device analyzes data objects after they are downloaded but before they are executed. For example, anti-malware software on a device may watch the download directory for new files or may simply wait for files to be created, written to, and then closed. After the download completes, the software may initiate a scan of the new file so that once the file is opened, the system already has assessed it and can recall the previous assessment.
If an anti-malware system blocks user-requested or system operations while it is assessing a data object, it may be desirable to give the user an indication that an assessment is in progress, especially if the assessment depends on a network connection that may have significant latency. In an embodiment, an anti-malware system on mobile communication device 101 displays a user interface indicating that a data object is being scanned when the system is scanning the data object and blocking user-requested operations. For example, if an anti-malware system prevents the execution of applications until the application and all of its dependent libraries have been assessed by interposing itself in the application launch process, there can be a significant delay perceivable to the device's user. The annoyance associated with the delay may be mitigated by informing the user what is happening instead of the device simply seeming unresponsive. When a user launches an application, the device displays a user interface view indicating that the anti-malware system is assessing the application that the user launched. In an embodiment, the user interface allows the device's user to skip waiting for the scan to finish. For example, if the device's scanning of a data object needs to connect to server 151 and the user doesn't want to wait, the user may proceed without waiting for the assessment to return. If the assessment subsequently returns that the data object is malicious, the device may initiate remediation actions, such as killing any processes containing the data object and deleting the data object, even though the data object was allowed to run.
A user may be interested in having an application assessed, but does not wish to wait for a response from server 151. The user may choose to forego complete analysis and use the application while waiting for analysis results. In such a situation, it would be helpful if server 151 or the user's mobile communication device 101 could provide a temporary trustworthiness evaluation prior to formal analysis. Reporting can be in the form of an interface element, a notification, a warning, a risk rating, or the like. In an embodiment, the mobile communication device 101 can run a local analysis to determine whether an application is temporarily trustworthy. It may also be desirable to show information about a data object on a user interface that indicates when an anti-malware system is waiting for an assessment from a server so that users do not accidentally skip items that are high risk. In an embodiment, the waiting user interface shows the result of local analysis while waiting for an assessment from server 151. For example, the user interface may show the capabilities of the data object or a risk score for the data object. In an embodiment, the device only allows a user to skip waiting for an assessment from server 151 if local analysis determines that the data object is low risk. For example, a risk score may be calculated by analyzing what sensitive functionality a data object accesses. A data object that accesses a user's contact list and browser history may be deemed more risky than a data object that doesn't access any sensitive functionality.
In an embodiment, an anti-malware system on device 101 determines whether it should wait for a response from server 151 before reaching a conclusion based on the context of the scan. For example, scans that occur during system startup or when there is no active network connection should not block waiting for a response from the server. In order to determine if there is a network connection, the anti-malware system may rely on a variety of methods such as querying network interface state information provided by the operating system and analyzing whether requests to server 151 time out. If the anti-malware system intercepts system calls, scans that occur as a result of the system trying to execute a data object should block while waiting for a response from server 151 while scans that result from an application getting information about a data object (e.g., file manager extracting an icon for the data object) should not block while waiting for a response. In an embodiment, if a request for a data object assessment is unable to be completed, it is retried at a later time.
In an embodiment, the anti-malware system skips portions of server or local analysis if an accurate assessment can be produced without the additional analysis. For example, if local analysis determines that a data object is not risky, then the device may not request an assessment from server 151—the device may only request an assessment from server 151 if the data object being scanned has a minimum riskiness as determined by a local analysis component on the device. In an example, the determination of whether to skip waiting for additional results is determined by both the results and which system returned each result. A “bad” result from local analysis before receiving a result from server 151 may be enough to treat a data object as malicious; however, a “good” result from local analysis may still require the system to wait for an assessment from server 151 to confirm that the data object is good before determining a final disposition.
In an embodiment, if multiple analysis systems produce different results, the anti-malware system on a device analyzes the results of the systems to make a determination as to the final disposition of a data object, the determination taking into account both what results were produced and which system produced each result. For example, the anti-malware system may determine that a single undesirable result is enough to flag a data object as undesirable. In another example, server 151 may be treated as authoritative or server 151 may transmit a confidence level of its assessment so that device 101 can determine whether to treat the assessment as authoritative or not. In another example, known bad results from server 151 may be authoritative but known good results from server can be overridden by a known bad result from a local analysis system on device 101.
In an embodiment, server 151 stores a list of malware or other undesirable applications that have been detected on the device and which are still active on the device. In order for this list to be populated, mobile communication device 101 sends events to server 151, including whenever it encounters an undesirable application, whenever an undesirable application is removed, and whenever an undesirable application is ignored. The events include identifying information for data objects so that server 151 can correlate the events with known data objects. For example, because a user may choose to ignore malware, it's important for the user to be able to see his or her list of ignored malware to avoid a situation where a malicious user installs malware on someone else's phone and configures anti-malware software on the phone to ignore the malware, preventing the system from automatically removing it. In this circumstance, the legitimate user of the phone is able to tell that a piece of malware is active on his or her device, but is ignored. In an embodiment, because server 151 has data indicating whether device 101 currently has active malware, network access can be allowed or denied to the device depending on its malware state by a network access control system querying server 151 for the state of a given device.
In an embodiment of this disclosure, server-side or “cloud” analysis may be performed using a version of the three-component system described in U.S. patent application Ser. No. 12/255,621, which is incorporated in full herein. An example of a three-component system is illustrated in FIG. 9 and includes a first component 903 that may be used to recognize data that is safe, or “known good” (also referred to herein as forming part of or being included on a “whitelist”). A second component 905 may be used to recognize data that is malicious, wastes device resources, or is “known bad” (also referred to herein as forming part of or being included on a “blacklist”). A third component 907 is a decision component that may be used to evaluate data that is neither known good nor known bad, i.e., “unknown.” In an embodiment, known good component 903 and known bad component 905 may reside on mobile communication device 101, and decision component 907 may reside on server 151. In an embodiment, known good component 903, known bad component 905 and decision component 907 may all reside on server 151. In an embodiment, portions of known good component 903, known bad component 905 and/or decision component 907 may reside on mobile communication device 101, and portions of known good component 903, known bad component 905 and/or decision component 907 may reside on server 151. In an embodiment, known good component 903 and known bad component 905 reside on server 151 while decision component 907 resides on mobile communication device 101.
For example, data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis. Server 151 may contain known good component 903, known bad component 905 and decision component 907, or the components may be distributed across two or more servers. The one or more servers may thereby use application data to determine if the suspect data object is a recognizably safe data object. If the suspect data object is recognizably safe, then the one or more servers may notify the mobile communications device or instruct the device that it may accept and process the data object. The one or more servers may then use application data to determine if the suspect data object is recognizably malicious. If the suspect data object is recognizably malicious, then the one or more servers may notify the mobile communications device or instruct the device to reject the data object and not process it further. The known good and known bad components may have a variety of methods for recognizing known good and known bad data objects. The data, logic, and any other information used by known good and/or known bad components to identify recognizably good or recognizably bad data objects, respectively, may be called “signatures” or “definitions” (explained further below).
If the known good and known bad components are inconclusive, one or more servers may perform additional analysis to reach a decision as to the disposition of the data object. In an embodiment, server 151 contains a decision component that uses one or more analysis systems to analyze application data for the data object and make a determination as to whether the data object is considered undesirable or not. In an embodiment, if there is not enough information to perform the additional analysis, then the one or more servers may request that a mobile communications device send additional application data to the server for analysis. For example, a device may initially send a hash identifier, package name, and cryptographic signer information for a data object to a server for analysis. If the known good or known bad component fails to identify the data object as known good or known bad, the server may request that the device send the whole data object to the server so that the data object itself may be analyzed. Upon receiving additional application data, further analysis to reach a disposition for whether a device should accept or reject the data object may be performed by a decision component 907 or manually. In an embodiment, the server stores whether or not a given data object needs manual analysis so that an analysis team may easily determine what data objects need to be analyzed.
Because an assessment for a data object may rely on human analysis to be produced, server 151 may use analysis systems to produce store a list of suspicious data objects that need further study. In an embodiment, some results from analysis systems on server 151 produce assessments that are transmitted to mobile communication device 101 and others identify data objects as needing human analysis. For example, if server 151 utilizes a set of heuristics to identify malicious applications, some set of the heuristics may be well tested and provide acceptable accuracy in correctly identifying malicious behavior while another set of heuristics may be experimental, requiring human analysis to determine if the results are acceptable.
The following describes each of the components identified above in more detail. A person skilled in the art will appreciate that since the total number of known good applications for mobile communication devices can be identified, use of the known good component 903 coupled to a database, logic, or other data store containing definitions for known good data objects (e.g., application data such as hash identifiers) may significantly reduce false-positive undesirable application detection and reduce the need to perform computationally expensive analysis or to contact a server for analysis. One will also appreciate that use of a known good component 903 may be particularly effective for data that contains executable software code. Executable software code for a given application rarely changes between different mobile communications devices, so creating a database of known good application data or logic for evaluating application data may be an effective method for recognizing safe or trustworthy data. This database may vary in size depending upon the resources available on the mobile communications device. Alternatively, aspects of this disclosure, such as the known good component and known bad component, may have access to a remote server with a larger library of application data for known good or bad data objects, such as server 151 coupled to a data store 111 in FIG. 1.
In an embodiment of this disclosure, known bad component 905 may have access to a database, logic, or other data store containing definitions for known bad data objects that can be stored on the mobile communications device without occupying a significant amount of memory. For example, virus and other malware or spyware definitions can include application data such as hash identifiers, package names, cryptographic signers, byte sequences, and byte patterns stored in a database or other memory cache. In other words, there may be a known bad database that complements the known good database stored on mobile communications device 101. Additionally or alternatively, known bad component 905 may be capable of identifying malware using characteristics common to other malicious software code. When applied to network data or data files, known bad component 905 may have access to a database containing patterns or other characteristics of a protocol data unit or file format which presents a security threat. Known bad component 905 may also identify data that undesirably affects a mobile communication device, such as exposing vulnerabilities, draining battery life, transmitting private or unauthorized information to third parties, or using up unnecessary device resources. Similar to the known good component 903 and database, any data identified as “bad” may be deleted, quarantined, or rejected from further processing by the mobile communications device. If a known bad data object is detected, an embodiment of this disclosure may also display a notification or other message similar to that described in co-pending U.S. patent application Ser. No. 12/255,635, entitled “SECURITY STATUS AND INFORMATION DISPLAY SYSTEM,” filed on Oct. 21, 2008 and incorporated in full herein.
Decision component 907 may be used to evaluate data that cannot be characterized as either known good or known bad. Since a majority of the data received on the mobile communications device 101 may fall within this category, this component may reside on server 151. This component may utilize a variety of methods to produce an assessment for a data object, including using any of the analysis systems disclosed herein. For example, decision component 907 may apply static analysis, dynamic analysis, distribution analysis or other methods of analysis in order to determine whether received data may be passed to its intended destination or rejected to prevent harm from befalling the device. Examples of this analysis are discussed below.
The following examples illustrate how one or more servers can be used to augment or replace the methods described in U.S. patent application Ser. No. 12/255,621.
Multiple systems containing known good component, known bad component, and decision component are possible. Depending on the specific types of data being analyzed and the types of security threats being prevented, different orders of execution and logic applied to each component's output can be employed. In an embodiment, if data is not determined to be good by known good component 903 (block 805), it will be rejected from processing 813. Data that known good component 903 determines to be good (block 805) is still analyzed by known bad component 905 (block 807). If known bad component 905 determines data to be bad (block 807), it is rejected from processing 813, otherwise data may be analyzed by decision component 907 (block 809). In an embodiment, if data is not determined to be known good by known good component 903, known bad component 905 analyzes it. If known good component determines the data to be good, it is allowed. If known bad component 905 determines the data to be bad, it will be rejected from processing 813. If known bad component 905 does not determine the data to be bad, the data may be analyzed by decision component 907 to reach an assessment for the data.
An example analysis of network data or data files present on a mobile communication device is shown in FIG. 8. As shown in FIG. 8, block 801 may involve gathering data sent to or received from the mobile communications device. The data may be analyzed to identify its protocol and track state (block 803). In block 805, known good component 903 resident on the mobile communication device may evaluate the gathered data for known good characteristics. Known good characteristics may include the characteristics previously discussed or described in U.S. patent application Ser. No. 12/255,621. If the data contains sufficient known good characteristics, it may be allowed to proceed to its intended destination (block 811) for processing, execution or other operation. Alternatively, the data may be further analyzed by known bad component 905 resident on the mobile communication device to confirm that the data is truly safe (block 807). If known bad component determines that the data is truly safe, then the data may be allowed to proceed to its intended destination (block 811). Decision component 907 may also be available to provide a final check (block 809) before allowing the data to proceed (block 811).
Analysis of a data object may be performed at any time. For example, the data object may be evaluated prior to access or download, or after download but prior to installation, or after installation, prior to installation of a new version of the data object, or after the installation of a new version of the data object, if the data is an application. In an embodiment, a data object that has not yet been downloaded to a device is evaluated by using identifying information about the data object. For example, if an application market accessible to a mobile communication device makes applications available for download and provides identifying information about the data object such as a hash of the application's content or a package name for the application, software on the mobile communication device can use the identifying information to determine an assessment for the application by evaluating the identifying information locally using any of the systems described herein or by transmitting the identifying information to server 151 and receiving an assessment from the server. In this manner, the software on the mobile communication device can assess whether applications are undesirable or not before a user downloads them.
At any point during the analysis, if either known good component 903, known bad component 905 or decision component 907 (discussed further below) determines that the data is not good, or affirmatively contains security threats, data inconsistencies, etc., then in block 813 the data will be blocked, rejected, deleted or quarantined. In an embodiment of this disclosure, a signal event or security event information log may be updated to record the encounter with the contaminated data.
The analysis of executable data such as applications, programs and/or libraries on the mobile communications device may proceed as illustrated in FIG. 9. In block 901, the executable is determined to need to be classified as either good or bad as a result from an attempt to access the executable, installing the executable, or the executable being downloaded or otherwise transferred to the mobile device. The executable may or may not be pre-processed to extract additional application data such as a hash identifier, cryptographic signer, package name or other characteristics before being evaluated by known good component 903 resident on the mobile communication device (block 903). This evaluation may include comparing the executable's hash identifier or other characteristics against a database of known good characteristics, identifying whether the executable has sufficient known good characteristics, or any of the criteria discussed above or described in U.S. patent application Ser. No. 12/255,621.
If the executable is recognized as known good, then in block 911, it may be allowed to execute its code or proceed to its intended destination for processing or other operation. If known good component 903 fails to allow the executable data, then known bad component 905 resident on the mobile communication device may perform its analysis (block 905). If known bad component 905 confirms that the executable is malicious, then the executable may be quarantined, rejected, or deleted, and the event may be logged (block 909). If known bad component 905 is unable to characterize the executable, then the decision component 907 may perform its analysis as described further below (block 907). If decision component 907 ultimately determines that the executable is safe, then the executable is allowed (block 911). If decision component 907 ultimately determines that the executable is not safe, or remains unsure, then the executable may be quarantined (block 909). One will appreciate that since executables may contain code that can cause significant harm to the mobile communications device, it may require more rigorous analysis before the executable is allowed to proceed.
One will appreciate that known good component 903 and known bad component 905 can be kept lightweight on the resident mobile communication device by only storing definition information about those applications most likely to be accessed by the mobile communication device. As described above, such information may be determined, for example, based upon device data, the applications previously installed on the mobile communication device, and the way the mobile communication device is used (e.g., work versus entertainment, accessing public networks versus private networks, etc.). One will appreciate that each mobile communication device may store different definition information, and that an embodiment of this disclosure contemplates such granularity.
As discussed above and throughout, an embodiment of this disclosure is directed to server-side analysis of data in the event that known good component 903 and known bad component 905 are unable to determine whether the data is safe. In an embodiment, decision component 907 resides on one or more servers 151 in communication with the mobile communication device over network 121, i.e., “in the cloud.” The decision component may rely on one or more analysis systems, such as the analysis systems disclosed herein. Because decision component 907 resides on computing resources that are more powerful than the mobile communication device, it can provide a more robust analysis to determine if data should be considered bad or good for device 101. Furthermore, analysis that takes place on server 151 can take advantage of data collected by the server to produce an assessment that would not be possible only relying on data available to mobile communication device 101. For example, decision component 907 on server 151 may determine that a data object is malicious if behavioral data reported by devices indicate that the data object sends premium-rate SMS messages or dials premium-rate phone numbers on devices that it is installed on.
In an embodiment, decision component 907 utilizes one or more types of internal analysis systems to characterize whether a data object is good or bad. The decision component 907 is designed to detect security threats without specific definitions for the threats being protected against. In other words, decision component 907 may operate as an additional security component to compensate for any weaknesses from known good component 903 or known bad component 905 and to identify new threats that have not been previously identified.
One will appreciate that there are a number of analysis systems that may be utilized by decision component 907, including but not limited to systems that use heuristic algorithms, rule-based or non-rule-based expert systems, fuzzy logic systems, neural networks, or other methods by which systems can classify a data object. As described above, such systems may use a variety of data available to decision component 907, including but not limited to distribution data, characterization data, categorization data, trust data, application data, and the like. For example, decision component 907 may analyze applications, libraries, or other executables on a mobile communications device. In an example, the decision component 907 may contain a neural network which analyzes characteristics of an executable and determines a security assessment based on network connection characteristics. Such characteristics may be determined based on information contained in the executable file format or as a result of processing the content of the executable file. In another example, the decision component 907 may contain an expert-system which analyzes the behavior of an executable through function calls, system calls or actions an executable may take on an operating system. If an executable calls in a way that signifies malicious behavior, the system may flag that executable as potential malware and action may be taken.
If decision component 907 is located on mobile communication device 101, it may be desirable to update rules or analysis parameters independently of updating the executable code powering the decision component. In an embodiment, the decision component 907 contains a virtual machine-based decision system by which an executable can be classified by a set of rules that may be updated independently of the decision component itself. Such a system is able to add new logic to detect certain new classes of undesirable applications on the fly without having to update the whole decision component. The system may pre-process the executable so that the virtual machine's logic can symbolically reference the executable rather than having to process the executable itself.
In an example, the decision component 907 may consider third party information to evaluate data. A person having skill in the art will appreciate that a mobile communication device 101 is capable of accessing an application provider, such as Apple's App Store, the Android Market, or other software repository or digital distribution platforms for providing applications available for download and installation on the mobile communication device. In an embodiment, server 151 has access to such application providers and can collect information about specific applications. For example, server 151 can search for and collect user-generated reviews or ratings about applications. An application that has favorable ratings may be deemed safe while an application with significantly negative ratings may be deemed undesirable. Because server 151 may also determine trust data for data objects, the assessment for an application with negative reviews may only indicate that the application is undesirable if the application has a low trust rating while an application with a high trust rating and negative reviews may still be considered desirable by an anti-malware system.
The above examples illustrate how decision component 907 may utilize a number of analytical methods in order to fully evaluate the threat level of data received by or transmitted from the mobile communications device. Other examples may be contemplated without departing from the scope of this disclosure.
One will appreciate that identifying recognizably good data objects and recognizably bad data objects, such as by mobile communication device 101 or server 151, may be performed by a single component rather than by separate “known good” and “known bad” components. In an embodiment, a single recognition component performs the functionality of identifying both recognizably good and recognizably bad data objects.
In an embodiment, a recognition component utilizes definitions to determine an assessment for a data object. The recognition component first examines application data for a data object to determine if any definitions correspond to the data object. For example, if the recognition component has access to definitions that are hashes of data objects' content, a definition that has the same hash as the hash of a given data object's content is determined to correspond to the data object. In another example, if the recognition component accesses definitions that contain byte sequence signatures, a definition with a byte sequence contained in a data object's content is determined to correspond to the data object. Each definition may be associated with an assessment so that the recognition component can examine application data for a data object to determine a corresponding definition, determine a corresponding assessment for the definition, and therefore produce an assessment that corresponds to the data object. For example, the application data for a data object may include identifying information such as the data object's hash, package name, unique identifier, or other application data such as the data object's content. In an embodiment, the definitions used by a recognition component represent known data objects. In this case, when the recognition component determines if an assessment for a known data object corresponds to a data object being analyzed, the data object being analyzed and the known data object do not have to be exactly the same. For example, if a first application from a particular developer is determined to be undesirable through analysis (e.g., manual analysis, automated analysis), a definition may be created for the first application that matches the first application's package name. If the developer creates a modified application that has the same package name as the first application and the recognition component encounters the modified application, the definition is determined to correspond to the modified application because the package name in the definition matches the modified application's package name. The recognition component then determines that the undesirable assessment for the first application applies to the modified application.
For example, a recognition component may access a database of definitions, each definition indicating a hash of a data object's content and an indication of whether a data object to which the definition corresponds is considered to be good or bad. In an embodiment, the definitions used by one or more recognition components operating on server 151 are stored on server 151 or on data storage 111. In an embodiment, known good component 903 and known bad component 905 are each implemented on server 151 using a recognition component. For example, a known good component may include a recognition component where all of the definitions accessed by the recognition component correspond to an assessment that a data object is considered to be good. In an embodiment, known good and known bad components are each implemented as recognition components that match application data for a data object against known good and known bad application data. For example, a known good component may have a list of known good hash identifiers, package names, and cryptographic signers that it tries to match with data objects being analyzed. In an embodiment, if a data object has any characteristic in the known good list, it is considered safe. In an embodiment, a server may use a similar known bad system that matches known bad application data to application data for a data object being analyzed. Other known good and known bad analysis systems are possible without departing from the scope of this disclosure. In an embodiment, the recognition component produces a variety of assessments—not simply “good” or “bad.” In an embodiment, the recognition component uses a single assessment instead of storing multiple assessments if all definitions only have a single corresponding assessment, such as in the case where the recognition component only identifies whether a data object is “known bad.” Other variations are also possible without departing from the scope of this disclosure.
FIG. 12 illustrates an embodiment of this disclosure used to assess data objects on a mobile communication device. A mobile communication device 101 may first initiate a scan of a data object, such as in the case of a full system scan or when the data object is being executed or installed 1201. The recognition component evaluates application data for the data object (e.g., package name, hash of data object's content, unique identifier, content of data object) to determine if a definition accessible to the recognition component corresponds to the data object (block 1202). For example, as discussed above, the correspondence may include matching identifying information for the data object to data contained in a definition or matching the data object's content to sequences, patterns, or logic contained in a definition. If a definition corresponds to the data object, then the recognition component determines the corresponding assessment for the data object. In an embodiment, recognition component in block 1202 utilizes a data store of definition and assessment information. For example, as discussed above, the definitions stored on the mobile communication device may be pre-populated or populated when the mobile communication device receives the definition and assessment information from server 151. In an embodiment, the definitions stored on the mobile communication device may be considered a cache, the cache functioning as described above. If the recognition component on the mobile communication device determines an assessment for the data object (block 1203), that assessment is processed to determine how to treat the data object (block 1204). For example, if the assessment indicates that the data object is malicious, then the mobile communication device may disallow the data object from being executed or prompt the device's user to uninstall the data object. If the recognition component on the mobile communication device does not determine an assessment for the data object (block 1203), then mobile communication device 101 transmits data object information such as application data (e.g., identifying information, content of the data object) to server 151 (block 1205). The server receives the data object information (block 1206), and a recognition component on server evaluates the data object information to determine if a definition accessible to the recognition component corresponds to the data object (block 1207). If a definition corresponds to the data object (block 1208), then server 151 determines an assessment for the data object and transmits it to mobile communication device (block 1209). If the recognition component does not determine a corresponding definition or assessment for the data object (block 1208), a decision component on the server analyzes the data object information (block 1210). If the decision component produces an assessment, then server 151 transmits the assessment to the mobile communication device (block 1209). If no assessment is produced by the decision component, then the server transmits an indication that the data object is unknown to the mobile communication device (block 1209). Mobile communication device 101 receives the assessment from the server (block 1211) and processes the assessment information to determine how to treat the data object (block 1204). In an embodiment, mobile communication device 101 adds information from the assessment received from server 151 to its local definition cache when it processes assessment information (block 1204). For example, the device may store information such as a disposition for the data object (e.g., “known good”, “known bad”, “malware”, “spyware”), an identifier transmitted by server 151, and definition information generated by the device or transmitted by server 151 (e.g., hash of the data object's content, data object's package name).
In an embodiment, mobile communication device performs analysis on a data object being scanned using a local decision component on the mobile communication device before transmitting data object information to server 151 in the case where the recognition component on the mobile communication device does not determine an assessment. In an embodiment, analysis by the local decision component and transmitting data object information to the server occur in parallel to minimize delay to a user. One skilled in the art will appreciate that a variety of configurations of the components in a combined client-server anti-malware system are possible without departing from the scope of this disclosure.
In an embodiment, mobile communication device 101 transmits authentication information such as authentication credentials or session information to server 151 whenever sending information about a data object so that server can associate information exchanged with a particular account on the server.
D. Application Assessment and Advisement System
Previous portions of this disclosure described various systems and methods for collecting different types of data from one or more mobile communication devices and other sources as well as analyzing the collected data to produce assessments for data objects. The following is a discussion of how server 151 can use assessments for display, exposure via API, and a variety of other purposes. Some examples of assessments that have been disclosed herein include output from one or more analysis systems (e.g., characterization data, categorization data, trust data, and distribution data) and one or more ratings for a data object (e.g., security rating, privacy rating, battery rating, performance rating, quality rating). One having ordinary skill in the art will appreciate that assessment information pertains to a wide variety of information which can be used to understand the effects of installing a given data object on a mobile communication device beyond a typical anti-malware system's assessment of whether the data object is malicious or not. In addition, this assessment information can be used to guide decisions regarding whether to download and install different types of data objects. Such information can be useful to an individual user trying to decide whether to install a certain application on his mobile communication device. Such information can also be useful to an IT administrator trying to decide whether to deploy a certain application to a plurality of mobile communication devices. In an embodiment, a user or IT administrator can use this assessment information for application policy enforcement.
One having skill in the art will appreciate that the data available to server 151 and assessments produced by the server are useful beyond anti-malware purposes. For example, the assessments can detail whether a data object is known for excessively draining a mobile communication device's battery or if a data object utilizes an undesirable amount of network resources. Because server 151 continues to gather, store, and analyze data to produce assessment information, in an embodiment, server 151 can provide information that details how a data object is estimated to affect a mobile communication device before the data object is installed on the mobile communication device. For example, server 151 can provide estimated battery usage information and/or network usage information for an application.
When users interact with assessments, it may be desirable that the assessments represent an appropriate level of granularity so that users do not feel that the assessments are too broad or too narrow. In an embodiment, server 151 merges assessments for multiple data objects into a single assessment and transmits the merged assessment. For example, if an application contains multiple data objects (e.g., executable and multiple libraries), a user may wish to see an assessment for the application as a whole, not multiple assessments for its constituent data objects. Similarly, if there are multiple versions of an application (on a single platform or multiple platform) that exhibit similar characteristics, an enterprise policy administrator making a decision about the application may only wish to view a single assessment that encompasses all versions of the application.
In order to merge assessments for multiple data objects, server 151 may use application data such as file paths, version numbers, package names, cryptographic signers, installer source, and other information to determine that a group of data objects pertain to a particular version of an application and/or that one or more data objects or group of data objects belong to different versions of an application. For example, if a set of executables are commonly seen in the same directory together, server 151 may determine that those executables are all related to the same application. In another example, if an application package has both a package name and a version identifier embedded in it, server 151 may determine that two data objects with the same package name and human-readable application name but different version identifiers are multiple versions of the same application.
Because it may be desirable for assessments to provide a consistent form of information between platforms, an embodiment of this disclosure is directed to server 151 including some or all of the same fields in assessments for data objects that run on different platforms. For example, even though the location APIs on different smartphone operating systems are very different in their function, server 151 may perform operating system specific analysis on data objects to produce a cross-platform assessment of whether each data object accesses the device's location. If the assessment were in the form of a list of capabilities for the data object, both a mapping application on BlackBerry and a location-based social network on Android would have the “accesses device location” capability. Similarly, battery usage may be calculated differently on each platform, but server 151 may produce a cross-platform assessment of the estimated daily battery use measured as a percentage of total battery capacity. In an embodiment, merged assessments for multiple data objects include information about the range of characteristics and categorization for data objects. For example, an assessment may show a trend in the battery usage of multiple versions of an application. An application that used a lot of battery in an old version but has recently decreased its battery usage may be acceptable while an application that has consistently high battery usage may be unacceptable.
An embodiment of this disclosure is directed toward server 151 making assessments for data objects available via a web interface. For example, users may wish to be able to learn more about the characteristics and capabilities of applications they have on their mobile devices. Server 151 may expose, as a web interface, an index of applications for which assessments are available and an assessment for each of these applications. In order to facilitate easy location of applications, server 151 may organize applications in a variety of ways, such as alphabetically, by their characteristics, by their categorization, and by platform. In addition, server 151 may allow a user to search for applications using terms that match the application's name, description, or fields in the application's assessment (e.g., all applications that run on Android OS and send location to the internet). Furthermore, publicly displaying assessments may assist in the transparency of applications.
For example, application vendors may direct users to the assessment page generated by server 151 as an independent third-party assessment of the capabilities of an application so that users can verify what the application is doing. In an embodiment, server 151 generates a web interface that allows a user to view an application's conditional assessment based on device data (e.g., how much battery does this application use on a Motorola Droid, how much network data does this application use on AT&T Wireless) and compare different conditional assessments (e.g., this application's battery usage on a Motorola Droid vs. a HTC Hero, how much network data does this application use on AT&T Wireless vs. Verizon Wireless). Such conditional assessments may be helpful to identify anomalous behavior in particular circumstances—for example, the assessment page may indicate that a certain set of handsets, operating system versions, or other applications installed on a device cause a higher error rate or anomalous change in certain assessment characteristics for this application. In an embodiment, server 151 identifies data objects having extreme values for particular assessment values. For example, server 151 may generate a web page identifying which applications use more than 1 gigabyte of network data per month or which applications use more than 10% of a device's battery.
Because assessment data generated by server 151 may be utilized to provide a variety of other products and services, an embodiment of this disclosure is directed toward server 151 exposing assessment data via an API. All functionality exposed by a web interface, as described above, may also be exposed as an API so that a variety of products and services may be built. For example, server 151 may provide an HTTP API by which supplying a data object's package name or content hash in the request URL will result in the server returning an assessment for the data object identified by the package name or content hash. In another example, server 151 may generate a JavaScript file that can be included by a remote web page and displays an interactive assessment view for a particular data object.
In an embodiment, server 151 can cause assessment data, such as a rating or disposition as to whether an application is desirable or not, to appear in an application marketplace. One will appreciate that application marketplaces may be implemented in a variety of ways, such as using a web site, using a mobile client application, using a PC-based client application, and using a messaging service such as SMS. As such, rather than subjective user-provided review information, an embodiment of this disclosure will provide objective assessment information for an application or other data object.
For example, server 151 may provide an API by which it may be queried for assessment data, or server 151 may proactively analyze all of the applications available in an application marketplace, transmitting assessment data to the marketplace provider. In an embodiment, a user can search the application marketplace for only those applications that meet certain desirable criteria, such as security, privacy, device efficiency, trustworthiness, and the like. In an embodiment, application providers can use the aggregated information in order to provide quality control measures. The application provider may only feature applications that meet certain battery efficiency criteria, a standard for an acceptable number of crashes or errors, certain network traffic limitations, privacy protections, and the like. In this fashion, an embodiment of this disclosure can improve the offerings on an application marketplace, thereby encouraging developers to create better applications. In an embodiment, the assessment information may be used as a certification system, wherein an application meeting certain criteria may be marked with a symbol, badge or other icon denoting the positive assessment for the application. For example, applications that have a high trust rating or applications that only access a minimal set of private information may be considered certified. In order to verify an application's certification, the certification marker may have a link or other way for a user to retrieve a full assessment from server 151.
In an embodiment, server 151 transmits assessment information to mobile communication device 101 for display. For example, a mobile device may have an interface by which a user can explore assessments for all applications installed on the device. The interface may allow a user to view assessment information for a particular application as well as allow a user to view which applications match a set of assessment criteria (e.g., all applications that send the device's location to the internet, the top 10 battery users, all applications that use more than 50 megabytes of network traffic per month). In an embodiment, mobile communication device 101 displays an interface as a part of an application marketplace, an application download process, or an application installation process on a mobile communication device so that a user browsing an application available for download or downloading/installing an application sees assessment information for the application. When browsing, downloading, or installing an application, the device transmits identification information to server 151 and receives an assessment for the application, displaying some or all of the assessment on a user interface. For example, the interface may display the capabilities of the application or characteristics of the application. The interface may also be interactive, allowing the user to explore aspects of the assessment, requesting additional assessment information from server 151 if necessary. In another example, the device may display an indicator of trust for an application, as determined by server 151 and transmitted to device 101 as part of an assessment, The indicator of trust may be displayed in a variety of ways, including as a certification seal (e.g., “Lookout™ certified”) or a rating (e.g., “A+”, “B−”, “C+”).
In some cases, users will not read lengthy security explanations, so it is important to display security information about applications in such a way that is easily understandable. In an embodiment, a mobile communication device 101 displays a graphical assessment indication for an application. For example, notable aspects of assessments may be displayed as icons or badges for the application. Some examples include badges for being “battery efficient”, being a “battery hog”, “accessing location”, having “spy capabilities”, being a “social network”, and being a “file sharing app”. The badge for each notable assessment may include an illustration making the badge easy to understand and coloration indicating whether the assessment is merely informational or something potentially critical. For example an application being efficient with battery use may have a green icon showing a full battery while an application that typically uses a lot of battery may have a red icon showing an empty battery.
Because server 151 continually gathers information and improves assessments, assessment information can be updated on application marketplaces and/or mobile communication devices that have cached the assessment information. For example, server 151 may send a notification to the application marketplace or mobile communication device indicating that new assessment information is available. In another example, server 151 may simply transmit the updated assessment information so that old information is overwritten.
In addition to viewing assessments on a device for data objects that are installed on that device, it may also be desirable to view assessments for data objects installed on a device from a web interface. For example, a user may wish to use his or her PC to explore assessments for applications installed on his or her device. As discussed, in an embodiment, mobile communication device 101 transmits application data for data objects it has installed to server 151. Because server 151 may store which applications are currently installed on device 101, the server can generate a user interface displaying assessments for those applications. For example, server 151 may generate and transmit a web interface allowing a user to view a list of all applications installed on a device, view an assessment for each installed application, and explore which installed applications match particular assessment values (e.g., all applications that can access my location). To prevent disclosure of private information, server 151 may require that a user log in using authentication credentials in order to view assessments for the applications on his or her device. Furthermore, an enterprise administrator may wish to view assessments for a group of devices from a central management console.
In an embodiment, server 151 generates a web interface that allows a user to view assessments for applications installed on multiple devices. For example, the web interface may allow a user to explore all apps that are installed on a group of devices that match a certain assessment field (e.g., file-sharing applications), view risk rating assessments for the group of devices, view all of the capabilities for applications installed on the deployment, and determine which devices and which apps are causing certain capabilities and risk exposures. A user may start by using server 151 to generate an overall set of security, privacy, and battery risk ratings for the group of devices then click on a rating to view the list of applications most contributing to that risk rating. A user can then view which devices have a given application. In another example, a user may start by using server 151 to generate a list of all capabilities for applications installed on the group and then click a given capability to view all of the applications installed on the group that have that capability. From there, the user may further explore which devices in the group have a given application installed. In an embodiment, assessments for a group of devices are exposed by server 151 in the form of an API for use by external services such as management consoles. For example, server 151 may expose risk ratings for the group of devices to a centralized security reporting system via an HTTP API.
On mobile communication devices, battery and network data are often limited in such a way that applications can adversely affect the device's battery life and can cause network use overage charges. An embodiment of this disclosure is directed to using assessments to make users aware of applications' network or battery usage and alert users in the case of an abusive application. Software on the device retrieves an assessment containing battery and network usage characteristics for an application from server 151 and displays the assessment to the user. As described above, a device requesting assessment information from server 151 may include application data for the application. The assessment may be customized for the particular device the user is using by the device sending device data when retrieving the assessment or by sending authentication data that associates the assessment request with previously transmitted device data. For example, the assessment may indicate that an application will likely reduce a user's model of phone's battery life by 5% or 1 hour; whereas a different model phone that has different battery life characteristics may receive an assessment that the same application reduces the phone's battery life by 10% or 3 hours. The assessment display may occur as part of an on-device application marketplace or as a user interface dialog before, during, or after installation of an application.
Furthermore, after the user installs multiple applications, it may be desirable for that user to understand which applications are most contributing to network usage or battery life based on the applications' actual behavior on the device. In an embodiment, the device collects behavioral data for the battery and network usage of an application and allows a user to view the actual behavioral data from an interface on the device. For example, the interface may allow a user to view a particular application's battery and network usage as well as view the top network and battery using applications in order to identify which applications are contributing to network overage or short battery life. In an embodiment, mobile communication device 101 reports behavioral data for applications installed on the device to server 151 and allow the user to view the actual behavioral data via a web interface generated by the server. One having ordinary skill in the art will appreciate that other characteristics of mobile applications can be monitored and shown to users as well.
Because a single application can cause significant problems with respect to battery life, network usage, or other limited resources, it may be desirable to notify a user when an application is behaving undesirably. In an embodiment, mobile communication device 101 monitors the network and battery usage of applications installed on the device and notifies the device's user when an application exceeds desirable limits. For example, the user may set thresholds for how much data applications may transmit and receive before he or she is notified. In another example, a user is notified when the device determines that an application will adversely affect the user's battery life or phone bill. If a user typically uses a phone for 20 hours before plugging it in and an application on the device reduces the estimated battery life to less than 20 hours, it's likely that the user will run out of battery. It may then be important to alert the user that there is an action he or she can take to avoid running out of battery, namely uninstalling or otherwise disabling high battery using applications.
In an embodiment, in order to prevent applications on a user's device from exceeding the user's data plan, device 101 or server 151 predicts the future data usage of a device and gathers information about the device's data plan. In order to gather information about a device's data plan, device 101 or server 151 connects to a network operator's servers to determine data plan information such as the data allocation per billing cycle, what their billing cycle is, and how much data has been used during the current billing cycle. Communications to the network operator's servers may occur in a variety of ways, such as via an HTTP API or SMS messaging. If software on a device uses SMS messaging to retrieve a user's data plan information, the software may automatically consume the response message sent by the network operator's servers in order to prevent the communication from showing up in the user's inbox. In order to predict future data usage, server 151 may analyze typical data usage for applications installed on a device and actual data usage on that device. If an application is newly installed, typical data usage may be used while for an application that has been on the device for months, actual data usage may be used. If applications on device 101 use network data at a rate that would exceed the device's data plan allocation by the end of the billing cycle, software on the device displays an alert indicating the likely overage charges. The alert may also display the applications most contributing to the data usage and give the user to uninstall or reconfigure the applications. Device 101 may report the alert to server 151 which may also send a notification (e.g., via email) indicating the potential for data overage. Software on device 101 or server 151 may display an indication of the current predicted data usage relative to the device's data allocation so that a user may adjust his or her application usage patterns accordingly. For example, if a user is worried about exceeding his or her data plan, he or she may check what the current predicted data usage is before engaging in a video chat.
Because the applications installed on a device may have a significant impact on the risk exposure of the device, it may be desirable for a user or administrator to set policy for what applications are desirable to install on a device or group of devices. The following is a discussion of how protection policy can be implemented on one or more mobile communication devices. In an embodiment, policy includes blacklists and whitelists. A blacklist is a set of applications or assessment criteria that are explicitly denied from running on a mobile communication device while a whitelist is a set of applications or assessment criteria that are explicitly allowed to run on a mobile communication device. For example, a policy may allow only applications on a whitelist or only applications not on the blacklist. In an embodiment, explicit application entries have higher priority than assessment criteria entries. For example, a policy may specify certain capabilities (e.g., sending a device's location to the internet) that are blacklisted but specify certain applications that are whitelisted. In this case, all applications that send location to the internet may be blocked unless they are explicitly on the whitelist because the explicit applications on the whitelist are of higher priority than the assessment criteria on the blacklist. One skilled in the art will appreciate that a variety of policy schemes can be implemented without departing from the scope of this disclosure.
Users may have individual preferences for the type of applications they want on their mobile devices. Some users, for example, may be sensitive to privacy issues, while other issues may want to optimize their battery life. In order to allow users to utilize application assessments to gain greater insight into the applications they use or are considering to use, an embodiment of this disclosure is directed to software on a mobile communication device allowing a user to set policies based on assessment criteria for applications, the software blocking applications that exceed an undesirability threshold. When a user attempts to install an application, the software requests an assessment for the application from server 151 and receives the assessment from the server.
For example, if the user attempts to install an application that has the capability of sending location information to the internet but has a policy to disallow any applications that can send his or her location to the internet, then software on the mobile communication device will block the installation. In another example, a user may set privacy, security, and battery life policy thresholds individually on a relative scale (e.g., 0 to 10). When the user installs an application, software on the device retrieves an assessment for the application and compares the application's privacy, security, and battery ratings with the policy thresholds and alerts the user if the application exceeds the configured policy. Instead of blocking installation of an application that is undesirable, a user may want to simply be warned of the undesirability.
In an embodiment, the user can ignore the alert and choose to accept the application anyway. In an embodiment, the device displays a user interface indicating that an application is undesirable for the user. For example, a mobile device may display an indication of whether an application being viewed for possible download in an application marketplace meets the user's desirability criteria. In another example, software on a device may allow a user to view all applications that do not meet desirability criteria. Such an interface may be useful if a user changes his or her criteria and wants to view applications that are now undesirable given the new criteria.
IT administrators, parents, network operators or other people responsible for multiple mobile communication devices may wish to set policy on multiple mobile communication devices without physical access to all of the devices. In an embodiment, server 151 allows a user or administrator to set policy for a device or group of devices. When a device 101 attempts to install an application, the device sends a request to server 151 for an assessment of the application. Based on policy configured on server 151, the assessment contains an indication of whether the application is allowed or disallowed and may also contain the policy criteria for why a disallowed application was assessed to be disallowed. In an example, policy on server 151 is configurable via a web interface.
In an embodiment, server 151 allows policy to be configured by assessment criteria as well as on a per application basis. For example, an administrator may use server 151 to block all applications that are in a certain category such as social networking applications or all applications that access certain capabilities such as the ability to transmit files or other sensitive data from a device. In an example, an administrator may wish to only allow particular applications by creating a whitelist, blocking all applications not on the whitelist. In a further example, an administrator may permit all applications other than particular applications that are on a blacklist because they are known to be undesirable. Because the set of applications allowed or denied under a policy may be pre-computed, an embodiment of this disclosure is directed to server 151 generating a set of policy definitions and transmitting the policy definitions to one or more mobile communication devices 101. For example, if a group of devices has a policy to only allow applications that are on a whitelist, server 151 may transmit a list of identifying information for the whitelisted applications to a mobile device so that the device does not need to contact the server for assessments every time it encounters an application.
When configuring policy using abstract concepts such as application categorization and capabilities, it may be desirable for a user or administrator to see what applications would be allowed/denied or whether a particular application would be allowed/denied if configuration changes were to be made. In an embodiment, the policy configuration user interface on mobile communication device 101 or server 151 includes an interface for viewing applications that would be blocked or allowed as part of a configuration change. If the configuration change interface is displayed on mobile communication device 101, the device may send requests for data to server 151 to populate the interface. It may be desirable to show all of the applications allowed or blocked after the configuration change goes into effect or only the difference in applications allowed or blocked between the current configuration and the new configuration. Because the number of applications affected by a configuration change may be very large, the interface may display summary information and allow a user to search for a particular application to determine whether the configuration change affects that application and whether the configuration change would result in that application being allowed or blocked. In an embodiment, the interface displaying the effect of a configuration change indicates whether any popular applications would be blocked. For example, application popularity may be determined based on overall distribution data determined by server 151 or by the prevalence of the application in the group of devices being managed. In an embodiment, the change result interface only displays changes that affect applications that are currently installed on at least one device in the group being managed.
In order to prevent a policy system from interfering with acceptable usage of mobile communication devices, an embodiment of this disclosure is directed to server 151 maintaining sets of acceptable apps and allowing a user or IT administrator to easily add those sets to a whitelist, the whitelist automatically including changes to the sets of acceptable apps. For example, server 151 may maintain a list of applications that are popular overall or a list of popular applications by application category. In a policy configuration interface, the server may present a way to include all popular applications or only popular applications in particular categories (e.g., games, social networks) in the policy's whitelist. In an embodiment, such dynamic list policies are of higher priority than assessment criteria entries on blacklists and whitelists but of lower priority than explicit application entries. In another example, server 151 may maintain a list of applications with high trust. In a policy configuration interface, the server may present a way to include all high-trust applications in the policy's whitelist. Whenever the high-trust list is updated, applications with high trust are effectively considered whitelisted when making policy assessments.
Because a mobile device deployment may already have a device management server or service in place, it may be desirable for server 151 to supply data to a device management server that actually performs the policy enforcement. In an embodiment, server 151 interfaces with a device management server to configure application policy on the device management server. For example, the device management server may support configurable application blacklists and whitelists. If a user sets configuration on server 151 to only allow applications that are on a whitelist or that match certain assessment criteria, server 151 generates the list of applications to be whitelisted and transmits the list of applications to the device management server in a format and over a protocol that the device management server supports. Similarly, if a user configures a blacklist on server 151, the server generates the list of applications that are on the blacklist and configures the device management server to enforce the blacklist. In an embodiment, server is capable of configuring multiple device management servers. For example, if an organization supports multiple mobile device operating systems and uses different mobile device management servers, an administrator can configure a cross-platform policy on server 151 (e.g., blocking all file sharing applications). Server 151 may then identify all of the applications across multiple platforms whose assessments match the policy and configure the appropriate application policies on device management servers. Because each device management server may only support a subset of mobile device platforms that server 151 supports, server 151 only transmits policy information to a device management server that corresponds to data objects that run on operating systems that are supported by the device management server. For example, if a device management server only supports Blackberry devices, server 151 may only configure the device management server's blacklist and/or whitelist with information about Blackberry applications.
In an embodiment, policy compliance checking can be performed by either server 151 or mobile communication device 101. For example, if server performs compliance checking, any compliance settings are stored on server 151 so that any configuration performed on mobile communication device 101 results in that configuration being transmitted to the server. When the device requests an assessment for an application from server 151, the server includes in the assessment an indication of whether the application is allowed or disallowed by policy. In another example, if mobile communication device 101 performs compliance checking, any compliance settings are stored on mobile communication device 101 so that any configuration performed on server 151 results in that configuration being transmitted to the device. When the device receives an assessment for an application, it compares the assessment to the policy configuration to determine if the application is allowed.
In an embodiment, policy management is integrated with a server-coupled anti-malware system so that signatures and assessments for applications provided by server 151 enable device 101 to block data objects that violate policy. For example, when a device 101 requests for an assessment from server 151, the server's assessment indicates that an application is undesirable if the application is considered malicious or if it violates policy. In either case, the assessment produced may indicate further information about why the application was found to be malicious or policy-violating. In another example, server 151 may pre-emptively transmit signatures for malicious or policy-violating applications to mobile communication device 101 so that the device can recognize whether a data object is desirable or undesirable without having to contact server 151.
If a device 101 has installed an application that violates a protection policy in place on either the device or server 151 or the assessment for an application has been updated to make it violate the protection policy, it may be desirable for remediation actions to be taken by the device or other systems. In an embodiment, if a device has an application installed that violates the protection policy for that device, the server or software on the device can enact remediation actions to occur. Depending on whether policy compliance is determined at the device 151 or server 101, either the device or server may determine what remediation actions to take.
For example, if a user installs an application and the assessment received from server 151 indicates that the application is acceptable but at some point in the future server determines that the application is unacceptable, server 151 transmits an updated assessment to the device including remediation actions for the device to take. In another example, if a user installs an application on a device and the device receives an assessment from server 151 indicating that the application is acceptable but software on the device gathers behavioral data that shows that the application violates policy (e.g., the application attempts to acquire the user's location), the device may undertake pre-configured remediation actions such as removing the application. The device may also transmit this behavioral data to server 151 and indicate the policy violation. One skilled in the art will appreciate that using behavioral data to enforce policy can protect mobile communication devices in a variety of situations such as when a vulnerability in an application is exploited, when an application only behaves undesirably on a subset of devices (e.g., a targeted attack against employees of a particular company), or when an application only behaves undesirably after a period of time (i.e. a time bomb).
When a device is detected to be violating policy, a variety of remediation actions are possible, for example, any violating applications may have their processes ended, may be uninstalled or isolated from accessing certain system functionality (e.g., internet, private data), or may be restricted from accessing certain networks (e.g., only allowed to access Wi-Fi, not the cellular network). It may also be desirable to isolate the whole device from accessing sensitive resources such as a corporate email or VPN server while it is out of compliance to prevent information leakage. Other remediation actions may include those disclosed in U.S. patent application Ser. No. 12/255,614, filed on Oct. 21, 2008 and incorporated in full herein.
If an administrator is able to set policy using server 151, it may also be desirable for a user to use server 151 to view the compliance status of devices that the policy applies to. In an embodiment, server 151 determines whether a group of mobile communication devices is in compliance with application policy and which applications are installed on devices in the group. For example, if mobile communication devices report the applications they have installed and server 151 contains policy configuration, the server can determine which devices currently violate the policy set by an administrator. To allow an administrator to view the compliance status, server 151 may generate a web interface listing whether or not all devices are in compliance and if any devices are out of compliance, how many there are. The interface may also allow the administrator to view specific devices that are out of compliance, view which applications make the devices out of compliance, and initiate remediation actions (e.g., removing an application) remotely.
In an embodiment, server 151 presents a one-click remediation action whereby an administrator can click a single button to remotely initiate remediation actions on all devices in the group the administrator is managing. For example, if an administrator managed 100 devices and 10 of the devices had applications that violated policy, the administrator could click the one-click remediation button on the web interface to cause the server to send indications to each of the 10 out-of-compliance devices to remove the undesirable applications without any user intervention required. Once the remediation actions completed, each device 101 may send an indication to server 151 indicating whether it was successful or not. During the remediation process, server 151 may generate an interface by which the administrator can view the status of the remediation. Other methods of server exposing compliance status include server 151 exposing an API (e.g., for use by a security management console) and server 151 generating reports that can be downloaded.
In some cases, it may be desirable for a user or administrator to receive a notification if he or she installs an application that is considered undesirable or if a previously installed application is newly considered to be undesirable based on an updated assessment. In an embodiment, mobile communication device 101 transmits information about the installation of a data object to server 151. If server 151 determines the data object to be undesirable based on universal undesirability characteristics or characteristics for the user, the server transmits a notification. For example, if a user installs an application that is assessed as desirable, but at some point in the future, the application begins to exhibit malicious or other undesirable behavior such as wasting battery, the server may change its assessment to indicate that the application is undesirable. The notification may take a variety of forms, such as an email, SMS message, or user interface dialog displayed on a web page, on a PC, or on a mobile communication device.
For an IT administrator managing a plurality of mobile communication devices, policies can be set for a specific application, even if the application is available on multiple platforms and has multiple versions. For example, it is not uncommon for an IT administrator to manage a fleet of mobile communication devices running different operating systems. The fleet of mobile communication devices can include iPhones, BlackBerry devices and Android devices. However, if a certain application is known to be undesirable on all three device operating systems, such as a social networking application that can disclose private information, then the IT administrator can block all versions of the application from installation, regardless of platform. However, if an application can share sensitive information on one platform but not others, then the IT administrator can allow installation of the application on only the platforms that don't share sensitive information. As discussed above, it may also be desirable for an IT administrator to make policy decisions about all versions of an application at once instead of having to maintain a policy that treats multiple versions of an application as separate decisions. Because there are some applications that are updated very frequently, it would quickly become a very difficult task to manage application policy if an administrator could not treat all versions of a particular application as one policy decision.
Because an application may drastically change between updates, it's desirable for an administrator to be aware of any changes that could affect the administrator's decision of whether or not to allow the application. An embodiment of this disclosure is directed to server 151 sending a notification in the case of an application that is present on a blacklist or whitelist changing its capabilities or characteristics significantly. For example, if a new version of an application that is on an administrator's whitelist has the capability to transmit files from a user's device while previous versions did not, then server 151 may send an email or text message to the administrator indicating the change. The policy management interface on server 151 may also display a list of applications that may need attention based on changed characteristics.
In order to simplify configuration, an embodiment of this disclosure is directed to software on mobile communication device 101 or server 151 may provide default policies that account for common use cases. For example, a user may be able to select that they are concerned with battery life and location privacy but they are not concerned with network usage and phone number privacy. By selecting such concerns, the device or server automatically configures policies and thresholds for undesirable applications. In an embodiment, server 151 or device 101 contains pre-set policies for compliance with regulations. For example, financial industry or healthcare industry workers may be required to have a particular set of application policies in place to prevent the disclosure of sensitive information. Because the set of applications allowed or denied under these regulations may change over time, server 151 may automatically update the specific policy decisions that enforce the regulation without an administrator needing to specifically configure them. In order to allow for inspection and auditing, server 151 may generate a list of policy decisions it is employing to comply with regulation and may notify an administrator when policy decisions will change. If an administrator rejects certain policy decisions, he or she may override the default policy set by server 151.
As it may be desirable to simplify the policy configuration process, an embodiment of this disclosure is directed to server 151 or mobile communication device 101 presenting a series of questions to a user or administrator, the answers to the questions being used to automatically set policy. For example, when a user is first setting up application policy software on his or her device, the software may ask whether the user has an unlimited data plan, whether the user wants to allow services to access the device's location, and whether the user wants to block all tools that can be used to spy on the device. Based on the answers to the questions the device may set policy of whether to block high data usage applications, whether to alert the user in the case of a high data usage application, whether to block applications that send a user's location to the internet, and whether to block espionage applications. After this initial setup, a user may desire to tweak policy decisions, while other users may accept the automatically configured policy.
Because abusive applications may have a substantially negative impact on wireless networks, an embodiment of this disclosure is directed to providing “early-warning” information about potentially abusive applications. In an embodiment, server 151 may use information such as behavioral data and other data available to it in order to produce an assessment of whether an application has network access characteristics that may be harmful for mobile networks. For example, an application that receives or transmits a large amount of data, sends a large number of SMS messages, or opens a large number of persistent connections may adversely affect a mobile network's performance. After assessing an application to determine if it is potentially harmful to a mobile network, server 151 stores the assessment. In an embodiment, server 151 notifies an administrator when a potentially harmful application is identified. For example, the notification may be in the form of an email or text message that contains information about the potentially harmful data object.
In an embodiment, server 151 generates a web interface that displays applications that have been assessed as potentially harmful to a mobile network. The web interface may be designed to support a review workflow so that potentially harmful applications can be further analyzed by an administrator. After examining an application, the administrator may want to take remediation action in some cases while, in other cases, the administrator may want to take no action. If an administrator chooses to take no action, the application will not be considered potentially harmful unless its behavior significantly changes, triggering server 151 to identify the application for re-review. In order to prevent multiple data objects for a given application being repeatedly identified as potentially harmful, if an administrator chooses to ignore an application, all versions of that application will also be ignored, as server 151 can determine whether multiple data objects belong to the same application or other grouping.
If an administrator is aware of a potentially harmful application, he or she can take preemptive measures to avoid serious problems if the application is installed on more devices. In an embodiment, server 151 generates a web interface allowing an administrator to take remediation actions for an application that is considered harmful. A variety of remediation actions are possible. For example, server 151 may present an interface allowing the network administrator to communicate with the publisher of the application and work through a resolution for the harmful behavior. Server 151 may extract the publisher's email address from marketpalce data and allow a network administrator to type in a message via the server's web interface that server 151 sends to the publisher. When server 151 sends the email, the reply-to address in the outgoing email is specially set so that when the publisher responds, server associates the response with the initial message and publishes the response in the web interface for administrator to view and potentially continue the conversation. In an embodiment, server 151 generates a web interface allowing an administrator to configure security software installed on a group of devices. For example, the administrator may wish to configure the security software to block the potentially harmful application or isolate the application so that it cannot communicate via a cellular network. If the administrator desires to block the application, server 151 may use a variety of mechanisms, such as those disclosed herein to block the application from being installed on devices or to remove the application if it is already installed on devices. Because server 151 can identify multiple data objects that correspond to the same application, if an administrator blocks an application, all data objects for the application are considered to be blocked. If an application that was potentially harmful is fixed in a subsequent version, server 151 may allow the administrator to specify a range of versions of the application to block.
Because it may be desirable to prevent the download of undesirable applications, an embodiment of this disclosure is directed to server 151 generating network infrastructure configuration data. For example, server 151 may store a set of blacklisted data objects and be able to generate a set of intrusion prevention system or HTTP proxy rules. The rules may attempt to match identifiers used by mobile devices to download data objects from an application marketplace or to identify the content of undesirable data objects as they are transmitted across a network.
In an embodiment, server 151 generates network infrastructure configuration data to block network traffic associated with undesirable applications. Server 151 generates network infrastructure configuration rules that prevent network communication associated with undesirable applications by server 151 using behavioral data for an undesirable application to characterize the network communications associated with the application and generating rules that block similar network traffic (e.g., traffic to the same IP address, subnet, or hostname). In order to prevent legitimate traffic from being blocked, server 151 may analyze how unique the undesirable application's network traffic is relative to desirable applications and only block network traffic that is particular to the undesirable application. For example, if an application communicates with two servers, one which is a well-known server used by a variety of legitimate applications and another which is an unknown server only communicated with by this application, server 151 would treat the unknown server as particular to the undesirable application.
After determining the appropriate network traffic to block, server 151 generates firewall or other network configuration rules to block undesirable applications' network traffic. For example, if a malicious application is using a particular server to exfiltrate sensitive data from peoples' phones, behavioral data for the application may indicate the IP address, port, and protocol used to transmit the sensitive data. When an administrator wishes to block the malicious application's capability to steal data, he or she may see the list of servers the application communicates with and how many other applications known to server 151 typically communicate with that server. The administrator then has the ability to choose which servers to block. After selecting the servers to block, server 151 generates rules that block the network traffic. In an embodiment, sever 151 makes configuration data, such as Snort® intrusion detection and prevention system rules, available for download via a web interface. In an embodiment, server 151 is configured to directly connect with a network infrastructure management system to deploy configuration data.
Because an administrator may be primarily concerned with a particular network, an embodiment of this disclosure is directed to server 151 producing both aggregate assessments and operator-specific assessments to identify potentially harmful applications and generating a user interface containing both. For example, if an application misbehaves only when running on a device connected to a particular type of mobile network, the aggregate behavioral data may be within normal bounds; however, the behavioral data for a particular network may be harmful. A network administrator may want to view the behavior of an application on the type of network he or she is administrating. Because individual mobile networks may treat different behavior as abusive, a user on server 151 can configure the criteria for considering an application harmful to the network.
In the description above and throughout, numerous specific details are set forth in order to provide a thorough understanding of the disclosure. It will be evident, however, to one of ordinary skill in the art, that the disclosure may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form to facilitate explanation. The description of the preferred an embodiment is not intended to limit the scope of the claims appended hereto. Further, in the methods disclosed herein, various steps are disclosed illustrating some of the functions of the disclosure. One will appreciate that these steps are merely exemplary and are not meant to be limiting in any way. Other steps and functions may be contemplated without departing from this disclosure.

Claims (53)

What is claimed is:
1. A non-transitory computer-readable storage medium having stored thereon a plurality of instructions which, when executed by a processor, cause the processor to perform the steps of a method for assessing a data object present on a mobile communication device, the assessment provided by a server computer, the method comprising:
before receiving data identifying at least a portion of the data object present on the mobile communication device at the server computer, determining if previously stored definition information stored in a local store at the mobile communication device corresponds to the data identifying at least a portion of the data object present on the mobile communication device, the local store storing a corresponding assessment for the previously stored definition information; and,
if the previously stored definition information in the local store at the mobile communication device does not correspond to the data identifying at least a portion of the data object present on the mobile communication device, then at the server computer, receiving data identifying at least a portion of the data object present on the mobile communication device;
at the server, determining if previously stored definition information for a data object corresponds to the received data, the definition information stored in a data store accessible by the server, the data store storing a corresponding assessment for the definition information;
if the previously stored definition information corresponds to the received data from the mobile communication device, then at the server, providing the assessment of the data object present on the mobile communication device corresponding to the previously stored definition information.
2. The non-transitory computer readable storage medium of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device is application data for the data object present on the mobile communication device.
3. The non-transitory computer readable storage medium of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device is behavioral data for the data object present on the mobile communication device.
4. The non-transitory computer readable storage medium of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device is metadata for the data object present on the mobile communication device.
5. The non-transitory computer readable storage medium of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device includes at least a portion of the data object present on the mobile communication device.
6. The non-transitory computer readable storage medium of claim 1, wherein the previously stored definition information includes a hash identifier for the data object present on the mobile communication device.
7. The non-transitory computer readable storage medium of claim 1, wherein the previously stored definition information includes a package name for the data object present on the mobile communication device.
8. The non-transitory computer readable storage medium of claim 1, wherein the previously stored definition information includes at least a portion of the data object present on the mobile communication device.
9. The non-transitory computer readable storage medium of claim 1, wherein the previously stored definition information includes an identifier for the data object present on the mobile communication device.
10. The non-transitory computer readable storage medium of claim 1, further comprising:
if the data identifying at least a portion of the data object present on the mobile communication device does not correspond to previously stored definition information stored in the data store accessible to the server, then analyzing, by the server, at least a portion of the data identifying at least a portion of the data object present on the mobile communication device to determine an assessment corresponding to the data identifying at least a portion of the data object present on the mobile communication device; and,
storing the assessment corresponding to the data identifying at least a portion of the data object present on the mobile communication device in the data store accessible to the server.
11. The non-transitory computer readable storage medium of claim 10, wherein analyzing at least a portion of the data identifying at least a portion of the data object present on the mobile communication device comprises analyzing by a decision component accessible by the server.
12. The non-transitory computer readable storage medium of claim 1, further comprising:
if the data identifying at least a portion of the data object present on the mobile communication device does not correspond to definition information stored in the data store accessible to the server, then analyzing, by the server, at least a portion of the data identifying at least a portion of the data object present on the mobile communication device to determine an assessment corresponding to the data identifying at least a portion of the data object present on the mobile communication device;
requesting, by the server, additional data pertaining to the data object present on the mobile communication device;
analyzing, by the server, at least a portion of the additional data pertaining to the data object present on the mobile communication device to determine an assessment corresponding to the data object present on the mobile communication device; and
storing the determined assessment in the data store accessible to the server.
13. The non-transitory computer readable storage medium of claim 1, further comprising, after the step of providing the assessment, if the assessment indicates that the data object present on the mobile communication device is undesirable, then at the server, transmitting instructions to the mobile communication device to prevent the mobile communication device from accessing the data object present on the mobile communication device.
14. The non-transitory computer readable storage medium of claim 1, further comprising, after the step of providing the assessment, if the assessment indicates that the data object present on the mobile communication device is undesirable, then at the server, transmitting a notification to the mobile communication device.
15. The non-transitory computer readable storage medium of claim 14, wherein the notification is a warning.
16. The non-transitory computer readable storage medium of claim 14, wherein the notification is an instruction to uninstall the data object.
17. A non-transitory computer-readable storage medium having stored thereon a plurality of instructions which, when executed by a processor, cause the processor to perform the steps of a method for assessing a data object present on a mobile communication device by a server computer comprising:
receiving data from the mobile communication device by the server computer, the received data identifying the data object present on the mobile communication device;
at the server computer, analyzing the received data by a known good component resident on the server computer to provide an assessment of the data object present on the mobile communication device;
if the analysis of the received data by the known good component on the server computer results in an assessment that the data object is allowed, then at the server computer, transmitting instructions to the mobile communication device allowing the mobile communication device to access the assessed data object present on the mobile communication device;
if, at the server computer, the analysis of the received data by the known good component on the server computer does not result in an assessment that the data object is allowed, then, at the server computer, analyzing the received data by a known bad component resident on the server computer to provide an assessment of the data object present on the mobile communication device; and
if, at the server computer, the analysis of the received data by the known bad component on the server computer results in an assessment that the data object is undesirable, then, at the server computer, transmitting instructions to the mobile communication device preventing the mobile communication device from accessing the data object present on the mobile communication device.
18. The non-transitory computer readable storage medium of claim 17, wherein the received data identifying the data object present on the mobile communication device is application data for the data object present on the mobile communication device.
19. The non-transitory computer readable storage medium of claim 17, wherein the received data identifying the data object present on the mobile communication device is behavioral data for the data object present on the mobile communication device.
20. The non-transitory computer readable storage medium of claim 17, wherein the received data identifying the data object present on the mobile communication device is metadata for the data object present on the mobile communication device.
21. The non-transitory computer readable storage medium of claim 17, wherein the received data identifying at least a portion of the data object present on the mobile communication device includes at least a portion of the data object present on the mobile communication device.
22. The non-transitory computer readable storage medium of claim 17, further comprising:
prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known good component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and,
prior to receiving data identifying the data object present on the mobile communication device, if the analysis of the data identifying the data object present on the mobile communication device by the known good component on the mobile communication device does not result in an assessment that the data object is allowed, then, at the mobile communication device, transmitting metadata for the data identifying the data object present on the mobile communication device to the server computer, and, at the server computer, proceeding with analyzing the received metadata by the known good component on the server computer.
23. The non-transitory computer readable storage medium of claim 17, further comprising:
prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known bad component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and,
if the analysis of the data identifying the data object present on the mobile communication device by the known bad component on the mobile communication device does not result in an assessment that the data object is undesirable, then, at the mobile communication device transmitting metadata for the data identifying the data object present on the mobile communication device to the server, and proceeding with analyzing the metadata to provide an assessment of the data object present on the mobile communication device.
24. The non-transitory computer readable storage medium of claim 17, further comprising:
prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known good component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device;
if the analysis of the data identifying the data object present on the mobile communication device by the known good component on the mobile communication device does not result in an assessment that the data object is allowed, then analyzing the data identifying the data object present on the mobile communication device by a known bad component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and,
if the analysis of the data identifying the data object present on the mobile communication device by the known bad component on the mobile communication device does not result in assessment that the data object is undesirable, then transmitting at least a portion of the data identifying the data object present on the mobile communication device to the server, and at the server, proceeding with analyzing the received data to provide an assessment of the data object present on the mobile communication device.
25. The non-transitory computer readable storage medium of claim 17, further comprising:
prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known bad component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device;
if the analysis of the data identifying the data object present on the mobile communication device by the known bad component on the mobile communication device does not result in an assessment that the data object is undesirable, then analyzing the data by a known good component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and,
if the analysis of the data identifying the data object present on the mobile communication device by the known good component on the mobile communication device does not result in an assessment that the data object is allowed, then transmitting at least a portion of the data identifying the data object present on the mobile communication device to the server, and at the server, proceeding with analyzing the received data to provide an assessment of the data object present on the mobile communication device.
26. The non-transitory computer readable storage medium of claim 17, further comprising:
if the assessment of the data identifying the data object present on the mobile communication device by the known good component resident on the mobile communication device does not result in a positive assessment that the data object is allowed, and if the analysis of the data identifying the data object present on the mobile communication device by the known bad component resident on the mobile communication device does not result in an assessment that the data object is undesirable, then
analyzing the data identifying the data object present on the mobile communication device by the server to provide an assessment identifying the data object present on the mobile communication device; and,
storing the assessment of the data identifying the data object present on the mobile communication device on a data store accessible by the server.
27. A non-transitory computer-readable storage medium having stored thereon a plurality of instructions which, when executed by a processor, cause the processor to perform the steps of a method for assessing a data object present on a mobile communication device, the assessment provided by a server computer, the method comprising:
at the mobile communication device, determining, by the mobile communication device, if previously stored definition information in a local store corresponds to the data object present on the mobile communication device;
if the determination at the mobile communication device shows that the previously stored definition information in the local store does not correspond to the data object present on the mobile communication device, then, at a server computer, receiving data identifying at least a portion of the data object present on the mobile communication device;
determining, by the server computer, if previously stored definition information for a data object corresponds to the received data, the definition information stored in a data store accessible to the server, the data store storing a corresponding assessment for the definition information;
if the previously stored definition information corresponds to the received data, then, at the server, providing the assessment corresponding to the previously stored definition information; and,
if the previously stored definition information in the data store accessible to the server does not correspond to the received data, then analyzing, by the server, at least a portion of the received data identifying at least a portion of the data object present on the mobile communication device to determine an assessment corresponding to the data object present on the mobile communication device.
28. The non-transitory computer readable storage medium of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device is application data for the data object present on the mobile communication device.
29. The non-transitory computer readable storage medium of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device is behavioral data for the data object present on the mobile communication device.
30. The non-transitory computer readable storage medium of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device is metadata for the data object present on the mobile communication device.
31. The non-transitory computer readable storage medium of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device includes at least a portion of the data object present on the mobile communication device.
32. The non-transitory computer readable storage medium of claim 27, wherein analyzing at least a portion of the received data identifying at least a portion of the data object present on the mobile communication device, by the server, to determine the assessment comprises analyzing the data by a decision component accessible by the server.
33. The non-transitory computer readable storage medium of claim 27, further comprising:
requesting, by the server, additional data pertaining to the data object present on the mobile communication device; and,
analyzing the additional data to determine an assessment corresponding to the data object present on the mobile communication device.
34. The non-transitory computer readable storage medium of claim 27, further comprising, after the step of providing the assessment, if the assessment indicates that the data object present on the mobile communication device is undesirable, then at the server, transmitting instructions to the mobile communication device to prevent the mobile communication device from accessing the data object present on the mobile communication device.
35. The non-transitory computer readable storage medium of claim 27, further comprising, after the step of providing the assessment, if the assessment indicates that the data object on the mobile communication device is undesirable, then at the server, transmitting a notification to the mobile communication device.
36. The non-transitory computer readable storage medium of claim 27, wherein the notification is a warning.
37. The non-transitory computer readable storage medium of claim 27, wherein the notification is an instruction to uninstall the data object.
38. The non-transitory computer readable storage medium of claim 27, wherein the notification is an instruction preventing the mobile communication device from accessing the data object.
39. A method comprising:
storing at a server definition information for a data object;
storing at the server a corresponding assessment for the definition information;
receiving at the server data identifying at least a portion of a data object on a mobile communication device, wherein the data identifying the at least a portion of the data object on the mobile communication device is received at the server when previously stored definition information in a local store at the mobile communication device does not correspond to the data identifying the at least a portion of the data object on the mobile communication device;
determining if the definition information that is stored at the server corresponds to the received data; and
if the definition information that is stored at the server corresponds to the received data, providing the corresponding assessment.
40. A method comprising:
storing at a server definition information for a data object;
storing at the server a corresponding assessment for the definition information;
receiving at the server data identifying at least a portion of a data object on a mobile communication device, wherein the data identifying the at least a portion of the data object on the mobile communication device is received at the server after the mobile communication device determines that previously stored definition information at the mobile communication device does not correspond to the data identifying the at least a portion of the data object on the mobile communication device;
if the definition information stored at the server corresponds to the received data, providing the corresponding assessment;
if the definition information stored at the server does not correspond to the received data, at the server, analyzing at least a portion of the received data identifying at least a portion of the data object on the mobile communication device to determine an assessment corresponding to the data object on the mobile communication device; and
at the server, providing the corresponding assessment resulting from the analyzing step if it is performed.
41. A method comprising:
receiving at a server data identifying a data object on a mobile communication device;
analyzing the received data by a known good component on the server to provide an assessment of the data object;
if the analysis of the received data by the known good component on the server results in an assessment that the data object is allowed, transmitting instructions to the mobile communication device to permit access to the data object;
if the analysis of the received data by the known good component does not result in an assessment that the data object is allowed, analyzing the received data by a known bad component on the server to provide an assessment of the data object; and
if the analysis of the received data by the known bad component results in an assessment that the data object is undesirable, transmitting instructions to the mobile communication device to deny access to the data object.
42. The method of claim 41 wherein the data identifying the data object on the mobile communication device is received at the server after the mobile communication device analyzes the data identifying the data object on the mobile communication device using a known good component on the mobile communication device, and
the analysis by the known good component on the mobile communications device does not result in an assessment that the data object on the mobile communication device is allowed.
43. The method of claim 41 comprising:
at the server, receiving metadata for the data identifying the data object on the mobile communication device; and
analyzing the received metadata by the known good component on the server, wherein the metadata is received when an analysis of the data identifying the data object on the mobile communication device by a known good component on the mobile communication device does not result in an assessment that the data object on the mobile communication device is allowed.
44. The method of claim 41 wherein the data identifying the data object on the mobile communication device is received at the server after the mobile communication device analyzes the data identifying the data object on the mobile communication device using a known bad component stored on the mobile communication device, and
the analysis does not result in an assessment that the data object is undesirable.
45. The method of claim 41 comprising:
at the server, receiving metadata for the data identifying the data object on the mobile communication device; and
at the server, analyzing the received metadata to provide an assessment of the data object on the mobile communication device, wherein the metadata is received when an analysis of the data identifying the data object on the mobile communication device using a known bad component on the mobile communication device does not result in an assessment that the data object is undesirable.
46. The method of claim 41 wherein the data identifying the data object on the mobile communication device is received at the server after the mobile communication device analyzes the data identifying the data object on the mobile communication device using a known good component stored on the mobile communication device, and
the analysis by the known good component does not result in an assessment that the data object is allowed,
wherein if the analysis by the known good component does not result in the assessment that the data object is allowed, the mobile communication device analyzes the data identifying the data object on the mobile communication device using a known bad component on the mobile communication device to provide an assessment of the data object on the mobile communication device, and
wherein if the analysis of the data identifying the data object on the mobile communication device using the known bad component on the mobile communication device does not result in an assessment that the data object is undesirable, at the server, receiving from the mobile device at least a portion of the data identifying the data object on the mobile communication device and analyzing the received data to provide an assessment of the data object on the mobile communication device.
47. The method of claim 41 wherein the data identifying the data object on the mobile communication device is received at the server after the mobile communication device analyzes the data identifying the data object on the mobile communication device using a known bad component on the mobile communication device, and
the analysis by the known bad component does not result in an assessment that the data object is undesirable,
wherein if analysis using the known bad component does not result in the assessment that the data object is undesirable, the mobile communication device analyzes the data identifying the data object on the mobile communication device using a known good component on the mobile communication device to provide an assessment of the data object on the mobile communication device, and
wherein if the analysis of the data identifying the data object on the mobile communication device using the known good component does not result in an assessment that the data object is allowed, at the server, receiving from the mobile device at least a portion of the data identifying the data object on the mobile communication device and analyzing the received data to provide an assessment of the data object on the mobile communication device.
48. The method of claim 41 wherein the receiving at the server the data identifying the data object on the mobile communication device is in response to an assessment of the data identifying the data object on the mobile communication device using a known good component on the mobile communication device that does not result in a positive assessment that the data object is allowed, and
an analysis of the data identifying the data object on the mobile communication device using a known bad component on the mobile communication device that does not result in an assessment that the data object is undesirable.
49. The method of claim 41 comprising:
if the analysis of the received data using the known bad component does not result in an assessment that the data object is undesirable, and the analysis of the received data using the known good component does not result in an assessment that the data object is allowed, transmitting instructions to the mobile communication device to permit access to the data object.
50. The method of claim 41 comprising:
if the analysis of the received data using the known bad component does not result in an assessment that the data object is undesirable, and the analysis of the received data using the known good component does not result in an assessment that the data object is allowed, at the server, transmitting instructions to the mobile communication device to deny access to the data object.
51. A method comprising:
receiving at a server data identifying a data object on a mobile communication device;
analyzing the received data using a known bad component stored on the server to provide an assessment of the data object;
if the analysis of the received data using the known bad component results in an assessment that the data object is undesirable, at the server, transmitting instructions to the mobile communication device to deny access to the data object;
if the analysis of the received data using the known bad component does not result in the assessment that the data object is undesirable, analyzing the received data using a known good component on the server to provide an assessment of the data object; and
if the analysis of the received data by the known good component results in an assessment that the data object is allowed, transmitting instructions to the mobile communication device to permit access to the data object.
52. The method of claim 51 comprising:
if the analysis of the received data using the known bad component does not result in the assessment that the data object is undesirable, and the analysis of the received data using the known good component does not result in the assessment that the data object is allowed, at the server, transmitting instructions to the mobile communication device to permit access to the data object.
53. The method of claim 51 comprising:
if the analysis of the received data using the known bad component does not result in the assessment that the data object is undesirable, and the analysis of the received data using the known good component does not result in the assessment that the data object is allowed, at the server, transmitting instructions to the mobile communication device to deny access to the data object.
US13/689,588 2008-10-21 2012-11-29 System and method for preventing malware on a mobile communication device Expired - Fee Related US8875289B2 (en)

Priority Applications (11)

Application Number Priority Date Filing Date Title
US13/689,588 US8875289B2 (en) 2008-10-21 2012-11-29 System and method for preventing malware on a mobile communication device
US14/318,450 US9294500B2 (en) 2008-10-21 2014-06-27 System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects
US14/973,636 US9781148B2 (en) 2008-10-21 2015-12-17 Methods and systems for sharing risk responses between collections of mobile communications devices
US15/393,089 US9779253B2 (en) 2008-10-21 2016-12-28 Methods and systems for sharing risk responses to improve the functioning of mobile communications devices
US15/498,325 US9860263B2 (en) 2008-10-21 2017-04-26 System and method for assessing data objects on mobile communications devices
US15/687,395 US9996697B2 (en) 2008-10-21 2017-08-25 Methods and systems for blocking the installation of an application to improve the functioning of a mobile communications device
US16/000,712 US10417432B2 (en) 2008-10-21 2018-06-05 Methods and systems for blocking potentially harmful communications to improve the functioning of an electronic device
US16/443,682 US10509910B2 (en) 2008-10-21 2019-06-17 Methods and systems for granting access to services based on a security state that varies with the severity of security events
US16/443,697 US10509911B2 (en) 2008-10-21 2019-06-17 Methods and systems for conditionally granting access to services based on the security state of the device requesting access
US16/670,227 US11080407B2 (en) 2008-10-21 2019-10-31 Methods and systems for analyzing data after initial analyses by known good and known bad security components
US17/374,280 US11886232B2 (en) 2008-10-21 2021-07-13 Providing a mobile communications device with access to a provider service conditioned upon a device security level determination

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US12/255,621 US8108933B2 (en) 2008-10-21 2008-10-21 System and method for attack and malware prevention
US12/868,669 US8347386B2 (en) 2008-10-21 2010-08-25 System and method for server-coupled malware prevention
US13/689,588 US8875289B2 (en) 2008-10-21 2012-11-29 System and method for preventing malware on a mobile communication device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/868,669 Continuation US8347386B2 (en) 2008-10-21 2010-08-25 System and method for server-coupled malware prevention

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/318,450 Continuation US9294500B2 (en) 2008-10-21 2014-06-27 System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects

Publications (2)

Publication Number Publication Date
US20130086682A1 US20130086682A1 (en) 2013-04-04
US8875289B2 true US8875289B2 (en) 2014-10-28

Family

ID=43606363

Family Applications (6)

Application Number Title Priority Date Filing Date
US12/868,669 Active 2028-11-17 US8347386B2 (en) 2008-10-21 2010-08-25 System and method for server-coupled malware prevention
US13/460,549 Active US8544095B2 (en) 2008-10-21 2012-04-30 System and method for server-coupled application re-analysis
US13/461,054 Active 2028-12-10 US8745739B2 (en) 2008-10-21 2012-05-01 System and method for server-coupled application re-analysis to obtain characterization assessment
US13/461,984 Active 2028-12-08 US8752176B2 (en) 2008-10-21 2012-05-02 System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment
US13/689,588 Expired - Fee Related US8875289B2 (en) 2008-10-21 2012-11-29 System and method for preventing malware on a mobile communication device
US14/318,450 Active US9294500B2 (en) 2008-10-21 2014-06-27 System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects

Family Applications Before (4)

Application Number Title Priority Date Filing Date
US12/868,669 Active 2028-11-17 US8347386B2 (en) 2008-10-21 2010-08-25 System and method for server-coupled malware prevention
US13/460,549 Active US8544095B2 (en) 2008-10-21 2012-04-30 System and method for server-coupled application re-analysis
US13/461,054 Active 2028-12-10 US8745739B2 (en) 2008-10-21 2012-05-01 System and method for server-coupled application re-analysis to obtain characterization assessment
US13/461,984 Active 2028-12-08 US8752176B2 (en) 2008-10-21 2012-05-02 System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/318,450 Active US9294500B2 (en) 2008-10-21 2014-06-27 System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects

Country Status (1)

Country Link
US (6) US8347386B2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150350045A1 (en) * 2013-01-07 2015-12-03 Beijing Qihoo Technology Company Limited Method and system for processing browser crash information
US9888022B2 (en) 2015-12-01 2018-02-06 International Business Machines Corporation Providing application-specific threat metrics
US10445486B2 (en) * 2016-12-08 2019-10-15 Alibaba Group Holding Limited Method and apparatus for authorized login
US10528734B2 (en) 2016-03-25 2020-01-07 The Mitre Corporation System and method for vetting mobile phone software applications

Families Citing this family (527)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7343413B2 (en) 2000-03-21 2008-03-11 F5 Networks, Inc. Method and system for optimizing a network by independently scaling control segments and data flow
US8380854B2 (en) 2000-03-21 2013-02-19 F5 Networks, Inc. Simplified method for processing multiple connections from the same client
US7051322B2 (en) 2002-12-06 2006-05-23 @Stake, Inc. Software analysis framework
US8898788B1 (en) 2004-04-01 2014-11-25 Fireeye, Inc. Systems and methods for malware attack prevention
US8566946B1 (en) 2006-04-20 2013-10-22 Fireeye, Inc. Malware containment on connection
US8528086B1 (en) 2004-04-01 2013-09-03 Fireeye, Inc. System and method of detecting computer worms
US8171553B2 (en) 2004-04-01 2012-05-01 Fireeye, Inc. Heuristic based capture with replay to virtual machine
US8375444B2 (en) 2006-04-20 2013-02-12 Fireeye, Inc. Dynamic signature creation and enforcement
US8584239B2 (en) 2004-04-01 2013-11-12 Fireeye, Inc. Virtual machine with dynamic data flow analysis
US8539582B1 (en) 2004-04-01 2013-09-17 Fireeye, Inc. Malware containment and security analysis on connection
US8793787B2 (en) 2004-04-01 2014-07-29 Fireeye, Inc. Detecting malicious network content using virtual environment components
US8549638B2 (en) 2004-06-14 2013-10-01 Fireeye, Inc. System and method of containing computer worms
US9106694B2 (en) * 2004-04-01 2015-08-11 Fireeye, Inc. Electronic message analysis for malware detection
US7587537B1 (en) 2007-11-30 2009-09-08 Altera Corporation Serializer-deserializer circuits formed from input-output circuit registers
US8881282B1 (en) 2004-04-01 2014-11-04 Fireeye, Inc. Systems and methods for malware attack detection and identification
ATE500698T1 (en) 2004-04-30 2011-03-15 Research In Motion Ltd SYSTEM AND METHOD FOR FILTERING DATA TRANSFERS IN A MOBILE DEVICE
GB0513375D0 (en) 2005-06-30 2005-08-03 Retento Ltd Computer security
US20080276302A1 (en) 2005-12-13 2008-11-06 Yoggie Security Systems Ltd. System and Method for Providing Data and Device Security Between External and Host Devices
US8869270B2 (en) 2008-03-26 2014-10-21 Cupp Computing As System and method for implementing content and network security inside a chip
US8381297B2 (en) 2005-12-13 2013-02-19 Yoggie Security Systems Ltd. System and method for providing network security to mobile devices
US8613080B2 (en) 2007-02-16 2013-12-17 Veracode, Inc. Assessment and analysis of software security flaws in virtual machines
US8856782B2 (en) 2007-03-01 2014-10-07 George Mason Research Foundation, Inc. On-demand disposable virtual work system
US8365272B2 (en) 2007-05-30 2013-01-29 Yoggie Security Systems Ltd. System and method for providing network and computer firewall protection with dynamic address isolation to a device
US8806053B1 (en) 2008-04-29 2014-08-12 F5 Networks, Inc. Methods and systems for optimizing network traffic using preemptive acknowledgment signals
US9609015B2 (en) * 2008-05-28 2017-03-28 Zscaler, Inc. Systems and methods for dynamic cloud-based malware behavior analysis
US9152789B2 (en) * 2008-05-28 2015-10-06 Zscaler, Inc. Systems and methods for dynamic cloud-based malware behavior analysis
US8631488B2 (en) 2008-08-04 2014-01-14 Cupp Computing As Systems and methods for providing security services during power management mode
US9098698B2 (en) 2008-09-12 2015-08-04 George Mason Research Foundation, Inc. Methods and apparatus for application isolation
US8087067B2 (en) 2008-10-21 2011-12-27 Lookout, Inc. Secure mobile platform system
US9235704B2 (en) 2008-10-21 2016-01-12 Lookout, Inc. System and method for a scanning API
US8533844B2 (en) 2008-10-21 2013-09-10 Lookout, Inc. System and method for security data collection and analysis
US8051480B2 (en) 2008-10-21 2011-11-01 Lookout, Inc. System and method for monitoring and analyzing multiple interfaces and multiple protocols
US8984628B2 (en) 2008-10-21 2015-03-17 Lookout, Inc. System and method for adverse mobile application identification
US9367680B2 (en) 2008-10-21 2016-06-14 Lookout, Inc. System and method for mobile communication device application advisement
US8060936B2 (en) 2008-10-21 2011-11-15 Lookout, Inc. Security status and information display system
US8108933B2 (en) 2008-10-21 2012-01-31 Lookout, Inc. System and method for attack and malware prevention
US9043919B2 (en) 2008-10-21 2015-05-26 Lookout, Inc. Crawling multiple markets and correlating
US8347386B2 (en) 2008-10-21 2013-01-01 Lookout, Inc. System and method for server-coupled malware prevention
US9781148B2 (en) 2008-10-21 2017-10-03 Lookout, Inc. Methods and systems for sharing risk responses between collections of mobile communications devices
SE533007C2 (en) 2008-10-24 2010-06-08 Ilt Productions Ab Distributed data storage
US8566444B1 (en) 2008-10-30 2013-10-22 F5 Networks, Inc. Methods and system for simultaneous multiple rules checking
US8997219B2 (en) 2008-11-03 2015-03-31 Fireeye, Inc. Systems and methods for detecting malicious PDF network content
US8850571B2 (en) * 2008-11-03 2014-09-30 Fireeye, Inc. Systems and methods for detecting malicious network content
US8789202B2 (en) 2008-11-19 2014-07-22 Cupp Computing As Systems and methods for providing real time access monitoring of a removable media device
US9042876B2 (en) 2009-02-17 2015-05-26 Lookout, Inc. System and method for uploading location information based on device movement
US8538815B2 (en) 2009-02-17 2013-09-17 Lookout, Inc. System and method for mobile device replacement
US8855601B2 (en) 2009-02-17 2014-10-07 Lookout, Inc. System and method for remotely-initiated audio communication
US9955352B2 (en) 2009-02-17 2018-04-24 Lookout, Inc. Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such
US8467768B2 (en) 2009-02-17 2013-06-18 Lookout, Inc. System and method for remotely securing or recovering a mobile device
US8839422B2 (en) 2009-06-30 2014-09-16 George Mason Research Foundation, Inc. Virtual browsing environment
US8489685B2 (en) 2009-07-17 2013-07-16 Aryaka Networks, Inc. Application acceleration as a service system and method
WO2011021898A2 (en) * 2009-08-21 2011-02-24 Samsung Electronics Co., Ltd. Shared data transmitting method, server, and system
US10157280B2 (en) 2009-09-23 2018-12-18 F5 Networks, Inc. System and method for identifying security breach attempts of a website
US8832829B2 (en) 2009-09-30 2014-09-09 Fireeye, Inc. Network-based binary file extraction and analysis for malware detection
US8868961B1 (en) 2009-11-06 2014-10-21 F5 Networks, Inc. Methods for acquiring hyper transport timing and devices thereof
US10721269B1 (en) 2009-11-06 2020-07-21 F5 Networks, Inc. Methods and system for returning requests with javascript for clients before passing a request to a server
EP2712149B1 (en) 2010-04-23 2019-10-30 Compuverde AB Distributed data storage
US9141625B1 (en) 2010-06-22 2015-09-22 F5 Networks, Inc. Methods for preserving flow state during virtual machine migration and devices thereof
US10015286B1 (en) 2010-06-23 2018-07-03 F5 Networks, Inc. System and method for proxying HTTP single sign on across network domains
US8839441B2 (en) * 2010-06-28 2014-09-16 Infosys Limited Method and system for adaptive vulnerability scanning of an application
US8908545B1 (en) 2010-07-08 2014-12-09 F5 Networks, Inc. System and method for handling TCP performance in network access with driver initiated application tunnel
US8347100B1 (en) 2010-07-14 2013-01-01 F5 Networks, Inc. Methods for DNSSEC proxying and deployment amelioration and systems thereof
US9083760B1 (en) 2010-08-09 2015-07-14 F5 Networks, Inc. Dynamic cloning and reservation of detached idle connections
CN102404281B (en) * 2010-09-09 2014-08-13 北京神州绿盟信息安全科技股份有限公司 Website scanning device and method
US8630174B1 (en) 2010-09-14 2014-01-14 F5 Networks, Inc. System and method for post shaping TCP packetization
US8886981B1 (en) 2010-09-15 2014-11-11 F5 Networks, Inc. Systems and methods for idle driven scheduling
US8804504B1 (en) 2010-09-16 2014-08-12 F5 Networks, Inc. System and method for reducing CPU load in processing PPP packets on a SSL-VPN tunneling device
US9215548B2 (en) * 2010-09-22 2015-12-15 Ncc Group Security Services, Inc. Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms
US8776227B1 (en) * 2010-10-21 2014-07-08 Symantec Corporation User interface based malware detection
US20120102569A1 (en) * 2010-10-21 2012-04-26 F-Secure Corporation Computer system analysis method and apparatus
EP2633667B1 (en) 2010-10-29 2017-09-06 F5 Networks, Inc System and method for on the fly protocol conversion in obtaining policy enforcement information
US8959571B2 (en) 2010-10-29 2015-02-17 F5 Networks, Inc. Automated policy builder
AU2011320339B2 (en) * 2010-10-31 2015-09-03 Temporal Defense Systems, L.L.C. System and method for securing virtual computing environments
US20120117558A1 (en) * 2010-11-04 2012-05-10 Microsoft Corporation Mobile application migration service
US8869307B2 (en) * 2010-11-19 2014-10-21 Mobile Iron, Inc. Mobile posture-based policy, remediation and access control for enterprise resources
US20120137369A1 (en) * 2010-11-29 2012-05-31 Infosec Co., Ltd. Mobile terminal with security functionality and method of implementing the same
US9088601B2 (en) * 2010-12-01 2015-07-21 Cisco Technology, Inc. Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques
US9218461B2 (en) 2010-12-01 2015-12-22 Cisco Technology, Inc. Method and apparatus for detecting malicious software through contextual convictions
US8516597B1 (en) * 2010-12-02 2013-08-20 Symantec Corporation Method to calculate a risk score of a folder that has been scanned for confidential information
US9219744B2 (en) * 2010-12-08 2015-12-22 At&T Intellectual Property I, L.P. Mobile botnet mitigation
US8555384B1 (en) * 2010-12-10 2013-10-08 Amazon Technologies, Inc. System and method for gathering data for detecting fraudulent transactions
US9094291B1 (en) 2010-12-14 2015-07-28 Symantec Corporation Partial risk score calculation for a data object
US8590047B2 (en) * 2011-01-04 2013-11-19 Bank Of America Corporation System and method for management of vulnerability assessment
US8627467B2 (en) * 2011-01-14 2014-01-07 F5 Networks, Inc. System and method for selectively storing web objects in a cache memory based on policy decisions
US8763121B2 (en) * 2011-01-20 2014-06-24 F-Secure Corporation Mitigating multiple advanced evasion technique attacks
US10135831B2 (en) 2011-01-28 2018-11-20 F5 Networks, Inc. System and method for combining an access control system with a traffic management system
US20120260304A1 (en) * 2011-02-15 2012-10-11 Webroot Inc. Methods and apparatus for agent-based malware management
US8800044B2 (en) * 2011-03-23 2014-08-05 Architelos, Inc. Storing and accessing threat information for use in predictive modeling in a network security service
RU2449360C1 (en) * 2011-03-28 2012-04-27 Закрытое акционерное общество "Лаборатория Касперского" System and method for creating antivirus databases in accordance with personal computer parameters
US8839434B2 (en) 2011-04-15 2014-09-16 Raytheon Company Multi-nodal malware analysis
US8566935B2 (en) 2011-05-12 2013-10-22 At&T Intellectual Property I, L.P. Balancing malware rootkit detection with power consumption on mobile devices
US8578492B2 (en) * 2011-05-19 2013-11-05 F-Secure Corporation Application revocation
US9158919B2 (en) * 2011-06-13 2015-10-13 Microsoft Technology Licensing, Llc Threat level assessment of applications
US9858415B2 (en) * 2011-06-16 2018-01-02 Microsoft Technology Licensing, Llc Cloud malware false positive recovery
US9246819B1 (en) 2011-06-20 2016-01-26 F5 Networks, Inc. System and method for performing message-based load balancing
US8635079B2 (en) 2011-06-27 2014-01-21 Raytheon Company System and method for sharing malware analysis results
US8640246B2 (en) 2011-06-27 2014-01-28 Raytheon Company Distributed malware detection
EP2727295B1 (en) * 2011-06-28 2015-04-08 Interdigital Patent Holdings, Inc. Managing data mobility policies
US8584242B2 (en) * 2011-07-12 2013-11-12 At&T Intellectual Property I, L.P. Remote-assisted malware detection
US8788881B2 (en) 2011-08-17 2014-07-22 Lookout, Inc. System and method for mobile device push communications
KR101326896B1 (en) * 2011-08-24 2013-11-11 주식회사 팬택 Terminal and method for providing risk of applications using the same
US8769138B2 (en) 2011-09-02 2014-07-01 Compuverde Ab Method for data retrieval from a distributed data storage system
US9626378B2 (en) 2011-09-02 2017-04-18 Compuverde Ab Method for handling requests in a storage system and a storage node for a storage system
US8645978B2 (en) 2011-09-02 2014-02-04 Compuverde Ab Method for data maintenance
KR101281825B1 (en) * 2011-09-07 2013-08-23 주식회사 팬택 Apparatus and method that enhance security using virtual interface in cloud system
US9344335B2 (en) 2011-09-09 2016-05-17 Microsoft Technology Licensing, Llc Network communication and cost awareness
JP2013077297A (en) * 2011-09-15 2013-04-25 Canon Inc Information processor and control method thereof
US9003532B2 (en) * 2011-09-15 2015-04-07 Raytheon Company Providing a network-accessible malware analysis
EP2610776B1 (en) 2011-09-16 2019-08-21 Veracode, Inc. Automated behavioural and static analysis using an instrumented sandbox and machine learning classification for mobile security
US8875293B2 (en) * 2011-09-22 2014-10-28 Raytheon Company System, method, and logic for classifying communications
US8387141B1 (en) * 2011-09-27 2013-02-26 Green Head LLC Smartphone security system
US9161226B2 (en) 2011-10-17 2015-10-13 Blackberry Limited Associating services to perimeters
WO2013063474A1 (en) * 2011-10-28 2013-05-02 Scargo, Inc. Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware
US20130111018A1 (en) * 2011-10-28 2013-05-02 International Business Machines Coporation Passive monitoring of virtual systems using agent-less, offline indexing
KR20130051116A (en) * 2011-11-09 2013-05-20 한국전자통신연구원 Apparatus for automatically inspecting security of applications and method thereof
US9613219B2 (en) 2011-11-10 2017-04-04 Blackberry Limited Managing cross perimeter access
US9071639B2 (en) * 2011-11-10 2015-06-30 Securebrain Corporation Unauthorized application detection system and method
KR101295644B1 (en) * 2011-11-11 2013-09-16 한국전자통신연구원 System and method for verifying smart phone application
EP2595423B1 (en) * 2011-11-21 2018-01-03 Swisscom AG Application security evaluation system and method
US8776242B2 (en) 2011-11-29 2014-07-08 Raytheon Company Providing a malware analysis using a secure malware detection process
WO2013082437A1 (en) 2011-12-02 2013-06-06 Invincia, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
US9087154B1 (en) * 2011-12-12 2015-07-21 Crashlytics, Inc. System and method for providing additional functionality to developer side application in an integrated development environment
US10365911B2 (en) * 2011-12-18 2019-07-30 International Business Machines Corporation Determining optimal update frequency for software application updates
US9214823B1 (en) * 2011-12-20 2015-12-15 Sprint Spectrum L.P. Correlating operational states and battery usage of devices to extend battery duration
US9270766B2 (en) 2011-12-30 2016-02-23 F5 Networks, Inc. Methods for identifying network traffic characteristics to correlate and manage one or more subsequent flows and devices thereof
US9264556B2 (en) 2012-01-27 2016-02-16 Microsoft Technology Licensing, Llc On-device attribution of network data usage
KR20130094522A (en) * 2012-02-16 2013-08-26 한국전자통신연구원 Mobile terminal and method for security diagnostics
US10230566B1 (en) 2012-02-17 2019-03-12 F5 Networks, Inc. Methods for dynamically constructing a service principal name and devices thereof
US9172753B1 (en) 2012-02-20 2015-10-27 F5 Networks, Inc. Methods for optimizing HTTP header based authentication and devices thereof
US9231879B1 (en) 2012-02-20 2016-01-05 F5 Networks, Inc. Methods for policy-based network traffic queue management and devices thereof
US9286063B2 (en) 2012-02-22 2016-03-15 Veracode, Inc. Methods and systems for providing feedback and suggested programming methods
US9519782B2 (en) 2012-02-24 2016-12-13 Fireeye, Inc. Detecting malicious network content
US8844036B2 (en) 2012-03-02 2014-09-23 Sri International Method and system for application-based policy monitoring and enforcement on a mobile device
US8925092B1 (en) * 2012-03-08 2014-12-30 Amazon Technologies, Inc. Risk assessment for software applications
US8646074B1 (en) * 2012-03-14 2014-02-04 Symantec Corporation Systems and methods for enabling otherwise unprotected computing devices to assess the reputations of wireless access points
US20130254880A1 (en) * 2012-03-21 2013-09-26 Mcafee, Inc. System and method for crowdsourcing of mobile application reputations
US9275227B2 (en) 2012-04-05 2016-03-01 International Business Machines Corporation Policy driven administration of mobile applications
US9152784B2 (en) * 2012-04-18 2015-10-06 Mcafee, Inc. Detection and prevention of installation of malicious mobile applications
GB2502254B (en) * 2012-04-20 2014-06-04 F Secure Corp Discovery of suspect IP addresses
US9075978B2 (en) * 2012-04-23 2015-07-07 Sap Se Secure configuration of mobile applications
US9331995B2 (en) 2012-04-23 2016-05-03 Sap Se Secure configuration of mobile application
JP6132605B2 (en) * 2012-04-26 2017-05-24 キヤノン株式会社 Information processing apparatus and control method thereof
EP2853074B1 (en) 2012-04-27 2021-03-24 F5 Networks, Inc Methods for optimizing service of content requests and devices thereof
CN103377341A (en) * 2012-04-28 2013-10-30 北京网秦天下科技有限公司 Method and system for security detection
CA2874489A1 (en) 2012-05-09 2013-11-14 SunStone Information Defense Inc. Methods and apparatus for identifying and removing malicious applications
US9210211B2 (en) 2012-05-10 2015-12-08 Hulu, LLC Remote automated updates for an application
RU2485577C1 (en) * 2012-05-11 2013-06-20 Закрытое акционерное общество "Лаборатория Касперского" Method of increasing reliability of detecting malicious software
US20130303118A1 (en) * 2012-05-11 2013-11-14 T-Mobile Usa, Inc. Mobile device security
US9690635B2 (en) 2012-05-14 2017-06-27 Qualcomm Incorporated Communicating behavior information in a mobile computing device
US9324034B2 (en) 2012-05-14 2016-04-26 Qualcomm Incorporated On-device real-time behavior analyzer
US9298494B2 (en) 2012-05-14 2016-03-29 Qualcomm Incorporated Collaborative learning for efficient behavioral analysis in networked mobile device
US9609456B2 (en) 2012-05-14 2017-03-28 Qualcomm Incorporated Methods, devices, and systems for communicating behavioral analysis information
US20130304677A1 (en) * 2012-05-14 2013-11-14 Qualcomm Incorporated Architecture for Client-Cloud Behavior Analyzer
US9202047B2 (en) 2012-05-14 2015-12-01 Qualcomm Incorporated System, apparatus, and method for adaptive observation of mobile device behavior
US9407443B2 (en) 2012-06-05 2016-08-02 Lookout, Inc. Component analysis of software applications on computing devices
US9589129B2 (en) 2012-06-05 2017-03-07 Lookout, Inc. Determining source of side-loaded software
US20130333039A1 (en) * 2012-06-07 2013-12-12 Mcafee, Inc. Evaluating Whether to Block or Allow Installation of a Software Application
US10409984B1 (en) 2012-06-15 2019-09-10 Square, Inc. Hierarchical data security measures for a mobile device
US9369466B2 (en) 2012-06-21 2016-06-14 Blackberry Limited Managing use of network resources
US8819772B2 (en) * 2012-06-25 2014-08-26 Appthority, Inc. In-line filtering of insecure or unwanted mobile device software components or communications
US10019765B2 (en) * 2012-06-27 2018-07-10 Facebook, Inc. Determining and providing feedback about communications from an application on a social networking platform
US9047463B2 (en) 2012-06-29 2015-06-02 Sri International Method and system for protecting data flow at a mobile device
US20140006616A1 (en) * 2012-06-29 2014-01-02 Nokia Corporation Method and apparatus for categorizing application access requests on a device
US9094830B2 (en) * 2012-07-05 2015-07-28 Blackberry Limited Managing data transfer across a network interface
TWI461953B (en) 2012-07-12 2014-11-21 Ind Tech Res Inst Computing environment security method and electronic computing system
CN103581152B (en) * 2012-08-08 2018-06-15 腾讯科技(深圳)有限公司 Update the method and device of scanning rule
US9330257B2 (en) 2012-08-15 2016-05-03 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9319897B2 (en) 2012-08-15 2016-04-19 Qualcomm Incorporated Secure behavior analysis over trusted execution environment
US9495537B2 (en) 2012-08-15 2016-11-15 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9747440B2 (en) 2012-08-15 2017-08-29 Qualcomm Incorporated On-line behavioral analysis engine in mobile device with multiple analyzer model providers
CN102868685B (en) * 2012-08-29 2015-04-15 北京神州绿盟信息安全科技股份有限公司 Method and device for judging automatic scanning behavior
CN104603791A (en) * 2012-09-25 2015-05-06 三菱电机株式会社 Signature verification device, signature verification method, and program
CN102945347B (en) * 2012-09-29 2016-02-24 中兴通讯股份有限公司 A kind of method, system and equipment detecting Android malware
US20140096246A1 (en) * 2012-10-01 2014-04-03 Google Inc. Protecting users from undesirable content
US9973501B2 (en) 2012-10-09 2018-05-15 Cupp Computing As Transaction security systems and methods
US11126418B2 (en) * 2012-10-11 2021-09-21 Mcafee, Llc Efficient shared image deployment
JP6013613B2 (en) 2012-10-19 2016-10-25 マカフィー, インコーポレイテッド Mobile application management
US8655307B1 (en) 2012-10-26 2014-02-18 Lookout, Inc. System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security
KR102017746B1 (en) * 2012-11-14 2019-09-04 한국전자통신연구원 Similarity calculating method and apparatus thereof
US9298916B2 (en) * 2012-12-10 2016-03-29 Lookout, Inc. Method and apparatus for enhanced file system monitoring on mobile communications devices
US9361595B2 (en) * 2012-12-14 2016-06-07 International Business Machines Corporation On-demand cloud service management
CN103067583A (en) * 2012-12-26 2013-04-24 鸿富锦精密工业(深圳)有限公司 Portable wireless communication device
US9208215B2 (en) 2012-12-27 2015-12-08 Lookout, Inc. User classification based on data gathered from a computing device
US9374369B2 (en) 2012-12-28 2016-06-21 Lookout, Inc. Multi-factor authentication and comprehensive login system for client-server networks
US10572665B2 (en) 2012-12-28 2020-02-25 Fireeye, Inc. System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events
CN103279709A (en) * 2012-12-28 2013-09-04 武汉安天信息技术有限责任公司 Method and system for comprehensively detecting advertisement plug-in based on multi-features
US8855599B2 (en) 2012-12-31 2014-10-07 Lookout, Inc. Method and apparatus for auxiliary communications with mobile communications device
US10089582B2 (en) 2013-01-02 2018-10-02 Qualcomm Incorporated Using normalized confidence values for classifying mobile device behaviors
US9684870B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors
US9686023B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors
US9424409B2 (en) 2013-01-10 2016-08-23 Lookout, Inc. Method and system for protecting privacy and enhancing security on an electronic device
US8505102B1 (en) 2013-01-14 2013-08-06 Google Inc. Detecting undesirable content
GB2507357B (en) * 2013-01-21 2016-04-20 F Secure Corp Agent based application reputation system for operating systems
US9742559B2 (en) 2013-01-22 2017-08-22 Qualcomm Incorporated Inter-module authentication for securing application execution integrity within a computing device
US20140215614A1 (en) * 2013-01-30 2014-07-31 Samsung Electronics Co., Ltd. System and method for a security assessment of an application uploaded to an appstore
US9491187B2 (en) 2013-02-15 2016-11-08 Qualcomm Incorporated APIs for obtaining device-specific behavior classifier models from the cloud
US10375155B1 (en) 2013-02-19 2019-08-06 F5 Networks, Inc. System and method for achieving hardware acceleration for asymmetric flow connections
US9733917B2 (en) * 2013-02-20 2017-08-15 Crimson Corporation Predicting whether a party will purchase a product
WO2014128253A1 (en) 2013-02-22 2014-08-28 Adaptive Mobile Security Limited System and method for embedded mobile (em)/machine to machine (m2m) security, pattern detection, mitigation
EP2959658A1 (en) 2013-02-22 2015-12-30 Adaptive Mobile Security Limited Dynamic traffic steering system and method in a network
EP2959707B1 (en) * 2013-02-22 2020-08-26 Adaptive Mobile Security Limited Network security system and method
US9367681B1 (en) 2013-02-23 2016-06-14 Fireeye, Inc. Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application
US9824209B1 (en) 2013-02-23 2017-11-21 Fireeye, Inc. Framework for efficient security coverage of mobile software applications that is usable to harden in the field code
US9009822B1 (en) 2013-02-23 2015-04-14 Fireeye, Inc. Framework for multi-phase analysis of mobile applications
US9195829B1 (en) 2013-02-23 2015-11-24 Fireeye, Inc. User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications
US8990944B1 (en) 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
US9009823B1 (en) 2013-02-23 2015-04-14 Fireeye, Inc. Framework for efficient security coverage of mobile software applications installed on mobile devices
US9159035B1 (en) 2013-02-23 2015-10-13 Fireeye, Inc. Framework for computer application analysis of sensitive information tracking
US9176843B1 (en) 2013-02-23 2015-11-03 Fireeye, Inc. Framework for efficient security coverage of mobile software applications
US20140244741A1 (en) * 2013-02-25 2014-08-28 Stellr, Inc. Computer-Implemented System And Method For Context-Based APP Searching And APP Use Insights
KR101739125B1 (en) * 2013-02-27 2017-05-24 한국전자통신연구원 Apparatus and method for analysing a permission of application for mobile device and detecting risk
US9794106B1 (en) * 2013-03-04 2017-10-17 Google Inc. Detecting application store ranking spam
US20140258511A1 (en) * 2013-03-11 2014-09-11 Bluebox Security Inc. Methods and Apparatus for Reestablishing Secure Network Communications
US9565202B1 (en) 2013-03-13 2017-02-07 Fireeye, Inc. System and method for detecting exfiltration content
US9626509B1 (en) 2013-03-13 2017-04-18 Fireeye, Inc. Malicious content analysis with multi-version application support within single operating environment
US9355247B1 (en) 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis
US9104867B1 (en) 2013-03-13 2015-08-11 Fireeye, Inc. Malicious content analysis using simulated user interaction without user involvement
US9311479B1 (en) 2013-03-14 2016-04-12 Fireeye, Inc. Correlation and consolidation of analytic data for holistic view of a malware attack
US9852416B2 (en) 2013-03-14 2017-12-26 Lookout, Inc. System and method for authorizing a payment transaction
US10699273B2 (en) 2013-03-14 2020-06-30 Lookout, Inc. System and method for authorizing payment transaction based on device locations
US9430646B1 (en) 2013-03-14 2016-08-30 Fireeye, Inc. Distributed systems and methods for automatically detecting unknown bots and botnets
US20140279379A1 (en) * 2013-03-14 2014-09-18 Rami Mahdi First party fraud detection system
WO2014145805A1 (en) 2013-03-15 2014-09-18 Mandiant, Llc System and method employing structured intelligence to verify and contain threats at endpoints
US10713358B2 (en) 2013-03-15 2020-07-14 Fireeye, Inc. System and method to extract and utilize disassembly features to classify software intent
US9106693B2 (en) 2013-03-15 2015-08-11 Juniper Networks, Inc. Attack detection and prevention using global device fingerprinting
US9251343B1 (en) 2013-03-15 2016-02-02 Fireeye, Inc. Detecting bootkits resident on compromised computers
US9292694B1 (en) * 2013-03-15 2016-03-22 Bitdefender IPR Management Ltd. Privacy protection for mobile devices
US20140304787A1 (en) * 2013-04-05 2014-10-09 Microsoft Corporation Badge notification subscriptions
US9307412B2 (en) 2013-04-24 2016-04-05 Lookout, Inc. Method and system for evaluating security for an interactive service operation by a mobile device
US9825971B2 (en) 2013-04-24 2017-11-21 Microsoft Technology Licensing, Llc Anonymous server based user settings protection
US9286568B2 (en) 2013-05-03 2016-03-15 Asurion, Llc Battery drain analysis and prediction for wireless devices
US9495180B2 (en) 2013-05-10 2016-11-15 Fireeye, Inc. Optimized resource allocation for virtual machines within a malware content detection system
US9635039B1 (en) 2013-05-13 2017-04-25 Fireeye, Inc. Classifying sets of malicious indicators for detecting command and control communications associated with malware
US9998536B2 (en) 2013-05-29 2018-06-12 Microsoft Technology Licensing, Llc Metered network synchronization
US9152694B1 (en) * 2013-06-17 2015-10-06 Appthority, Inc. Automated classification of applications for mobile devices
US10133863B2 (en) 2013-06-24 2018-11-20 Fireeye, Inc. Zero-day discovery system
US9536091B2 (en) 2013-06-24 2017-01-03 Fireeye, Inc. System and method for detecting time-bomb malware
US9686304B1 (en) * 2013-06-25 2017-06-20 Symantec Corporation Systems and methods for healing infected document files
CN104253791B (en) 2013-06-27 2017-12-15 华为终端(东莞)有限公司 A kind of safety access method of Web page application program, server and client side
US9888016B1 (en) 2013-06-28 2018-02-06 Fireeye, Inc. System and method for detecting phishing using password prediction
US9300686B2 (en) 2013-06-28 2016-03-29 Fireeye, Inc. System and method for detecting malicious links in electronic messages
US11157976B2 (en) 2013-07-08 2021-10-26 Cupp Computing As Systems and methods for providing digital content marketplace security
US20150026483A1 (en) * 2013-07-17 2015-01-22 Marvell World Trade Ltd. Systems and Methods for Mobile Application Protection
TWI499932B (en) 2013-07-17 2015-09-11 Ind Tech Res Inst Method for application management, corresponding system, and user device
US9589130B2 (en) * 2013-08-20 2017-03-07 White Cloud Security, L.L.C. Application trust-listing security service
US9871809B2 (en) 2013-08-26 2018-01-16 Shine Security Ltd. Reversion of system objects affected by a malware
US9015839B2 (en) 2013-08-30 2015-04-21 Juniper Networks, Inc. Identifying malicious devices within a computer network
US9942246B2 (en) * 2013-09-02 2018-04-10 Shine Security Ltd. Preemptive event handling
WO2015035559A1 (en) 2013-09-10 2015-03-19 Symantec Corporation Systems and methods for using event-correlation graphs to detect attacks on computing systems
US9607146B2 (en) * 2013-09-18 2017-03-28 Qualcomm Incorporated Data flow based behavioral analysis on mobile devices
US9166997B1 (en) 2013-09-19 2015-10-20 Symantec Corporation Systems and methods for reducing false positives when using event-correlation graphs to detect attacks on computing systems
CN105683988A (en) * 2013-09-27 2016-06-15 迈克菲公司 Managed software remediation
US9690936B1 (en) 2013-09-30 2017-06-27 Fireeye, Inc. Multistage system and method for analyzing obfuscated content for malware
US9294501B2 (en) 2013-09-30 2016-03-22 Fireeye, Inc. Fuzzy hash of behavioral results
US10089461B1 (en) 2013-09-30 2018-10-02 Fireeye, Inc. Page replacement code injection
US9628507B2 (en) 2013-09-30 2017-04-18 Fireeye, Inc. Advanced persistent threat (APT) detection center
US10192052B1 (en) 2013-09-30 2019-01-29 Fireeye, Inc. System, apparatus and method for classifying a file as malicious using static scanning
US9171160B2 (en) 2013-09-30 2015-10-27 Fireeye, Inc. Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US9736179B2 (en) 2013-09-30 2017-08-15 Fireeye, Inc. System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection
US10515214B1 (en) 2013-09-30 2019-12-24 Fireeye, Inc. System and method for classifying malware within content created during analysis of a specimen
US9642008B2 (en) 2013-10-25 2017-05-02 Lookout, Inc. System and method for creating and assigning a policy for a mobile communications device based on personal data
US10223530B2 (en) 2013-11-13 2019-03-05 Proofpoint, Inc. System and method of protecting client computers
US10187317B1 (en) 2013-11-15 2019-01-22 F5 Networks, Inc. Methods for traffic rate control and devices thereof
US9189627B1 (en) 2013-11-21 2015-11-17 Fireeye, Inc. System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
US8863158B1 (en) 2013-12-04 2014-10-14 Google Inc. Intents with application-specific data
US10122747B2 (en) 2013-12-06 2018-11-06 Lookout, Inc. Response generation after distributed monitoring and evaluation of multiple devices
US9753796B2 (en) 2013-12-06 2017-09-05 Lookout, Inc. Distributed monitoring, evaluation, and response for multiple devices
US9148441B1 (en) 2013-12-23 2015-09-29 Symantec Corporation Systems and methods for adjusting suspiciousness scores in event-correlation graphs
US9747446B1 (en) 2013-12-26 2017-08-29 Fireeye, Inc. System and method for run-time object classification
US9756074B2 (en) 2013-12-26 2017-09-05 Fireeye, Inc. System and method for IPS and VM-based detection of suspicious objects
US9740857B2 (en) 2014-01-16 2017-08-22 Fireeye, Inc. Threat-aware microvisor
US10802681B2 (en) * 2014-01-27 2020-10-13 Microsoft Technology Licensing, Llc Actionable notifications
US10540063B2 (en) 2014-01-27 2020-01-21 Microsoft Technology Licensing, Llc Processing actionable notifications
US9262635B2 (en) * 2014-02-05 2016-02-16 Fireeye, Inc. Detection efficacy of virtual machine-based analysis with application specific events
US9258318B2 (en) * 2014-02-12 2016-02-09 Symantec Corporation Systems and methods for informing users about applications available for download
WO2015123611A2 (en) 2014-02-13 2015-08-20 Cupp Computing As Systems and methods for providing network security using a secure digital device
US9197662B2 (en) * 2014-02-26 2015-11-24 Symantec Corporation Systems and methods for optimizing scans of pre-installed applications
US8990637B1 (en) * 2014-03-17 2015-03-24 Splunk Inc. Computing and accessing quality indicators of computer applications
US9241010B1 (en) * 2014-03-20 2016-01-19 Fireeye, Inc. System and method for network behavior detection
US10242185B1 (en) 2014-03-21 2019-03-26 Fireeye, Inc. Dynamic guest image creation and rollback
US9256739B1 (en) * 2014-03-21 2016-02-09 Symantec Corporation Systems and methods for using event-correlation graphs to generate remediation procedures
US9680872B1 (en) * 2014-03-25 2017-06-13 Amazon Technologies, Inc. Trusted-code generated requests
US9591015B1 (en) 2014-03-28 2017-03-07 Fireeye, Inc. System and method for offloading packet processing and static analysis operations
US9432389B1 (en) 2014-03-31 2016-08-30 Fireeye, Inc. System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object
US9223972B1 (en) 2014-03-31 2015-12-29 Fireeye, Inc. Dynamically remote tuning of a malware content detection system
CN103955645B (en) * 2014-04-28 2017-03-08 百度在线网络技术(北京)有限公司 The detection method of malicious process behavior, apparatus and system
CN104036194B (en) * 2014-05-16 2017-02-15 北京金山安全软件有限公司 Vulnerability detection method and device for revealing private data in application program
US10015143B1 (en) 2014-06-05 2018-07-03 F5 Networks, Inc. Methods for securing one or more license entitlement grants and devices thereof
US9594912B1 (en) 2014-06-06 2017-03-14 Fireeye, Inc. Return-oriented programming detection
US10084813B2 (en) 2014-06-24 2018-09-25 Fireeye, Inc. Intrusion prevention and remedy system
US10432720B1 (en) 2014-06-25 2019-10-01 Symantec Corporation Systems and methods for strong information about transmission control protocol connections
US9398028B1 (en) 2014-06-26 2016-07-19 Fireeye, Inc. System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers
US10805340B1 (en) 2014-06-26 2020-10-13 Fireeye, Inc. Infection vector and malware tracking with an interactive user display
US10445499B1 (en) * 2014-06-26 2019-10-15 Palo Alto Networks, Inc. Grouping application components for classification and malware detection
US10002252B2 (en) 2014-07-01 2018-06-19 Fireeye, Inc. Verification of trusted threat-aware microvisor
US9785773B2 (en) * 2014-07-03 2017-10-10 Palantir Technologies Inc. Malware data item analysis
KR20160006925A (en) * 2014-07-10 2016-01-20 한국전자통신연구원 Apparatus and method for verifying application integrities
US11838851B1 (en) 2014-07-15 2023-12-05 F5, Inc. Methods for managing L7 traffic classification and devices thereof
US20160026366A1 (en) * 2014-07-22 2016-01-28 Runfeng LUAN Method and system for customizing mobile terminal application
US9313218B1 (en) * 2014-07-23 2016-04-12 Symantec Corporation Systems and methods for providing information identifying the trustworthiness of applications on application distribution platforms
US9323518B1 (en) 2014-07-29 2016-04-26 Symantec Corporation Systems and methods for modifying applications without user input
US9923844B1 (en) * 2014-07-30 2018-03-20 Whatsapp Inc. Conveying instant messages via HTTP
US9990505B2 (en) * 2014-08-12 2018-06-05 Redwall Technologies, Llc Temporally isolating data accessed by a computing device
US10122630B1 (en) 2014-08-15 2018-11-06 F5 Networks, Inc. Methods for network traffic presteering and devices thereof
US20160063379A1 (en) * 2014-09-03 2016-03-03 International Business Machines Corporation Anonymous Crowd Sourced Software Tuning
US9965627B2 (en) * 2014-09-14 2018-05-08 Sophos Limited Labeling objects on an endpoint for encryption management
US9537841B2 (en) 2014-09-14 2017-01-03 Sophos Limited Key management for compromised enterprise endpoints
US10122687B2 (en) 2014-09-14 2018-11-06 Sophos Limited Firewall techniques for colored objects on endpoints
US10671726B1 (en) 2014-09-22 2020-06-02 Fireeye Inc. System and method for malware analysis using thread-level event monitoring
US9773112B1 (en) 2014-09-29 2017-09-26 Fireeye, Inc. Exploit detection of malware and malware families
US10027689B1 (en) 2014-09-29 2018-07-17 Fireeye, Inc. Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
US9367685B2 (en) * 2014-09-30 2016-06-14 Juniper Networks, Inc. Dynamically optimizing performance of a security appliance
US10079876B1 (en) * 2014-09-30 2018-09-18 Palo Alto Networks, Inc. Mobile URL categorization
US9843594B1 (en) 2014-10-28 2017-12-12 Symantec Corporation Systems and methods for detecting anomalous messages in automobile networks
US10182013B1 (en) 2014-12-01 2019-01-15 F5 Networks, Inc. Methods for managing progressive image delivery and devices thereof
RU2595511C2 (en) * 2014-12-05 2016-08-27 Закрытое акционерное общество "Лаборатория Касперского" System and method of trusted applications operation in the presence of suspicious applications
CN104506495A (en) * 2014-12-11 2015-04-08 国家电网公司 Intelligent network APT attack threat analysis method
US9537882B2 (en) * 2014-12-19 2017-01-03 Fedex Corporated Services, Inc. Methods, systems, and devices for detecting and isolating device posing security threat
US9690933B1 (en) 2014-12-22 2017-06-27 Fireeye, Inc. Framework for classifying an object as malicious with machine learning for deploying updated predictive models
US10075455B2 (en) 2014-12-26 2018-09-11 Fireeye, Inc. Zero-day rotating guest image profile
US9934376B1 (en) 2014-12-29 2018-04-03 Fireeye, Inc. Malware detection appliance architecture
US9838417B1 (en) 2014-12-30 2017-12-05 Fireeye, Inc. Intelligent context aware user interaction for malware detection
US9197663B1 (en) * 2015-01-29 2015-11-24 Bit9, Inc. Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US10230742B2 (en) * 2015-01-30 2019-03-12 Anomali Incorporated Space and time efficient threat detection
US11895138B1 (en) 2015-02-02 2024-02-06 F5, Inc. Methods for improving web scanner accuracy and devices thereof
US9432393B2 (en) * 2015-02-03 2016-08-30 Cisco Technology, Inc. Global clustering of incidents based on malware similarity and online trustfulness
US20160232353A1 (en) * 2015-02-09 2016-08-11 Qualcomm Incorporated Determining Model Protection Level On-Device based on Malware Detection in Similar Devices
US9338137B1 (en) 2015-02-13 2016-05-10 AO Kaspersky Lab System and methods for protecting confidential data in wireless networks
US9716701B1 (en) * 2015-03-24 2017-07-25 Trend Micro Incorporated Software as a service scanning system and method for scanning web traffic
US9690606B1 (en) 2015-03-25 2017-06-27 Fireeye, Inc. Selective system call monitoring
US10148693B2 (en) 2015-03-25 2018-12-04 Fireeye, Inc. Exploit detection system
US10146893B1 (en) 2015-03-27 2018-12-04 Symantec Corporation Systems and methods for evaluating electronic control units within vehicle emulations
US10382476B1 (en) 2015-03-27 2019-08-13 EMC IP Holding Company LLC Network security system incorporating assessment of alternative mobile application market sites
US9438613B1 (en) * 2015-03-30 2016-09-06 Fireeye, Inc. Dynamic content activation for automated analysis of embedded objects
US10834065B1 (en) 2015-03-31 2020-11-10 F5 Networks, Inc. Methods for SSL protected NTLM re-authentication and devices thereof
US9483644B1 (en) 2015-03-31 2016-11-01 Fireeye, Inc. Methods for detecting file altering malware in VM based analysis
US10417031B2 (en) 2015-03-31 2019-09-17 Fireeye, Inc. Selective virtualization for security threat detection
US10474813B1 (en) 2015-03-31 2019-11-12 Fireeye, Inc. Code injection technique for remediation at an endpoint of a network
US10455055B2 (en) * 2015-04-02 2019-10-22 Avaya Inc. System and method for customization of a local application
US9654485B1 (en) 2015-04-13 2017-05-16 Fireeye, Inc. Analytics-based security monitoring system and method
US10135633B2 (en) * 2015-04-21 2018-11-20 Cujo LLC Network security analysis for smart appliances
US10230740B2 (en) * 2015-04-21 2019-03-12 Cujo LLC Network security analysis for smart appliances
US9594904B1 (en) 2015-04-23 2017-03-14 Fireeye, Inc. Detecting malware based on reflection
US9692776B2 (en) 2015-04-29 2017-06-27 Symantec Corporation Systems and methods for evaluating content provided to users via user interfaces
WO2016178816A1 (en) 2015-05-01 2016-11-10 Lookout, Inc. Determining source of side-loaded software
US10505818B1 (en) 2015-05-05 2019-12-10 F5 Networks. Inc. Methods for analyzing and load balancing based on server health and devices thereof
US11350254B1 (en) * 2015-05-05 2022-05-31 F5, Inc. Methods for enforcing compliance policies and devices thereof
US10733594B1 (en) 2015-05-11 2020-08-04 Square, Inc. Data security measures for mobile devices
US9553885B2 (en) 2015-06-08 2017-01-24 Illusive Networks Ltd. System and method for creation, deployment and management of augmented attacker map
US9904544B2 (en) * 2015-06-08 2018-02-27 Ripple Luxembourg S.A. System and method for determining that results produced from executions of software have not been altered or falsified
US10382484B2 (en) 2015-06-08 2019-08-13 Illusive Networks Ltd. Detecting attackers who target containerized clusters
US10025937B1 (en) * 2015-06-26 2018-07-17 Symantec Corporation Practical and dynamic approach to enterprise hardening
US9825986B1 (en) 2015-06-29 2017-11-21 Symantec Corporation Systems and methods for generating contextually meaningful animated visualizations of computer security events
RU2618947C2 (en) * 2015-06-30 2017-05-11 Закрытое акционерное общество "Лаборатория Касперского" Method of preventing program operation comprising functional undesirable for user
US10454950B1 (en) 2015-06-30 2019-10-22 Fireeye, Inc. Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks
RU2601148C1 (en) * 2015-06-30 2016-10-27 Закрытое акционерное общество "Лаборатория Касперского" System and method for detecting anomalies when connecting devices
US10726127B1 (en) 2015-06-30 2020-07-28 Fireeye, Inc. System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
US10642753B1 (en) 2015-06-30 2020-05-05 Fireeye, Inc. System and method for protecting a software component running in virtual machine using a virtualization layer
US11113086B1 (en) 2015-06-30 2021-09-07 Fireeye, Inc. Virtual system and method for securing external network connectivity
US9807111B1 (en) 2015-07-29 2017-10-31 Symantec Corporation Systems and methods for detecting advertisements displayed to users via user interfaces
US10127403B2 (en) 2015-07-30 2018-11-13 Samsung Electronics Co., Ltd. Computing system with privacy control mechanism and method of operation thereof
US9734312B1 (en) 2015-08-12 2017-08-15 Symantec Corporation Systems and methods for detecting when users are uninstalling applications
US10715542B1 (en) 2015-08-14 2020-07-14 Fireeye, Inc. Mobile application risk analysis
US10102369B2 (en) 2015-08-19 2018-10-16 Palantir Technologies Inc. Checkout system executable code monitoring, and user account compromise determination system
US9690934B1 (en) 2015-08-27 2017-06-27 Symantec Corporation Systems and methods for protecting computing devices from imposter accessibility services
US10176321B2 (en) 2015-09-22 2019-01-08 Fireeye, Inc. Leveraging behavior-based rules for malware family classification
KR102365532B1 (en) 2015-09-22 2022-02-21 삼성전자주식회사 Security function performing method and electronic device supporting the same
KR102431266B1 (en) * 2015-09-24 2022-08-11 삼성전자주식회사 Apparatus and method for protecting information in communication system
US10033747B1 (en) 2015-09-29 2018-07-24 Fireeye, Inc. System and method for detecting interpreter-based exploit attacks
US10817606B1 (en) 2015-09-30 2020-10-27 Fireeye, Inc. Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic
US9825976B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Detection and classification of exploit kits
US10601865B1 (en) 2015-09-30 2020-03-24 Fireeye, Inc. Detection of credential spearphishing attacks using email analysis
US9825989B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system
US10210329B1 (en) 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
US10706149B1 (en) 2015-09-30 2020-07-07 Fireeye, Inc. Detecting delayed activation malware using a primary controller and plural time controllers
US9672358B1 (en) * 2015-11-04 2017-06-06 Invincea, Inc. Methods and apparatus for detecting malware samples with similar image sets
US10284575B2 (en) 2015-11-10 2019-05-07 Fireeye, Inc. Launcher for setting analysis environment variations for malware detection
US9544327B1 (en) * 2015-11-20 2017-01-10 International Business Machines Corporation Prioritizing security findings in a SAST tool based on historical security analysis
US9967274B2 (en) 2015-11-25 2018-05-08 Symantec Corporation Systems and methods for identifying compromised devices within industrial control systems
US10846117B1 (en) 2015-12-10 2020-11-24 Fireeye, Inc. Technique for establishing secure communication between host and guest processes of a virtualization architecture
US10447728B1 (en) 2015-12-10 2019-10-15 Fireeye, Inc. Technique for protecting guest processes using a layered virtualization architecture
US10108446B1 (en) 2015-12-11 2018-10-23 Fireeye, Inc. Late load technique for deploying a virtualization layer underneath a running operating system
GB201522315D0 (en) 2015-12-17 2016-02-03 Irdeto Bv Securing webpages, webapps and applications
WO2017106206A1 (en) 2015-12-18 2017-06-22 Cujo LLC Intercepting intra-network communication for smart appliance behavior analysis
RU2618946C1 (en) * 2015-12-18 2017-05-11 Акционерное общество "Лаборатория Касперского" Method to lock access to data on mobile device with api for users with disabilities
US11757946B1 (en) 2015-12-22 2023-09-12 F5, Inc. Methods for analyzing network traffic and enforcing network policies and devices thereof
US9817976B2 (en) * 2015-12-24 2017-11-14 Intel Corporation Techniques for detecting malware with minimal performance degradation
CN105653674B (en) * 2015-12-28 2020-02-14 Tcl海外电子(惠州)有限公司 File management method and system of intelligent terminal
US10565378B1 (en) 2015-12-30 2020-02-18 Fireeye, Inc. Exploit of privilege detection framework
US10133866B1 (en) 2015-12-30 2018-11-20 Fireeye, Inc. System and method for triggering analysis of an object for malware in response to modification of that object
US10621338B1 (en) 2015-12-30 2020-04-14 Fireeye, Inc. Method to detect forgery and exploits using last branch recording registers
US10050998B1 (en) 2015-12-30 2018-08-14 Fireeye, Inc. Malicious message analysis system
US10581874B1 (en) 2015-12-31 2020-03-03 Fireeye, Inc. Malware detection system with contextual analysis
US9824216B1 (en) 2015-12-31 2017-11-21 Fireeye, Inc. Susceptible environment detection system
US11552986B1 (en) 2015-12-31 2023-01-10 Fireeye Security Holdings Us Llc Cyber-security framework for application of virtual features
US10404698B1 (en) 2016-01-15 2019-09-03 F5 Networks, Inc. Methods for adaptive organization of web application access points in webtops and devices thereof
US11178150B1 (en) 2016-01-20 2021-11-16 F5 Networks, Inc. Methods for enforcing access control list based on managed application and devices thereof
US10797888B1 (en) 2016-01-20 2020-10-06 F5 Networks, Inc. Methods for secured SCEP enrollment for client devices and devices thereof
US11087024B2 (en) 2016-01-29 2021-08-10 Samsung Electronics Co., Ltd. System and method to enable privacy-preserving real time services against inference attacks
US10423787B2 (en) 2016-02-23 2019-09-24 Carbon Black, Inc. Cybersecurity systems and techniques
US10104100B1 (en) 2016-03-03 2018-10-16 Symantec Corporation Systems and methods for detecting anomalies that are potentially indicative of malicious attacks
CA2960535C (en) 2016-03-11 2019-08-20 The Toronto-Dominion Bank Application platform security enforcement in cross device and ownership structures
WO2017160309A1 (en) * 2016-03-18 2017-09-21 Entit Software Llc Assisting a scanning session
US10601863B1 (en) 2016-03-25 2020-03-24 Fireeye, Inc. System and method for managing sensor enrollment
US10476906B1 (en) 2016-03-25 2019-11-12 Fireeye, Inc. System and method for managing formation and modification of a cluster within a malware detection system
US10671721B1 (en) 2016-03-25 2020-06-02 Fireeye, Inc. Timeout management services
US10785255B1 (en) 2016-03-25 2020-09-22 Fireeye, Inc. Cluster configuration within a scalable malware detection system
US10893059B1 (en) 2016-03-31 2021-01-12 Fireeye, Inc. Verification and enhancement using detection systems located at the network periphery and endpoint devices
US10826933B1 (en) * 2016-03-31 2020-11-03 Fireeye, Inc. Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints
US10193903B1 (en) 2016-04-29 2019-01-29 Symantec Corporation Systems and methods for detecting suspicious microcontroller messages
US10440053B2 (en) 2016-05-31 2019-10-08 Lookout, Inc. Methods and systems for detecting and preventing network connection compromise
US10791088B1 (en) 2016-06-17 2020-09-29 F5 Networks, Inc. Methods for disaggregating subscribers via DHCP address translation and devices thereof
US10169585B1 (en) 2016-06-22 2019-01-01 Fireeye, Inc. System and methods for advanced malware detection through placement of transition events
US10091077B1 (en) 2016-06-27 2018-10-02 Symantec Corporation Systems and methods for detecting transactional message sequences that are obscured in multicast communications
US10248788B2 (en) * 2016-06-28 2019-04-02 International Business Machines Corporation Detecting harmful applications prior to installation on a user device
US10462173B1 (en) 2016-06-30 2019-10-29 Fireeye, Inc. Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US10373167B2 (en) 2016-06-30 2019-08-06 Square, Inc. Logical validation of devices against fraud
US10546302B2 (en) 2016-06-30 2020-01-28 Square, Inc. Logical validation of devices against fraud and tampering
CN106027564B (en) * 2016-07-08 2019-05-21 携程计算机技术(上海)有限公司 Detect the method and device of anti-crawler security policy
US10715533B2 (en) * 2016-07-26 2020-07-14 Microsoft Technology Licensing, Llc. Remediation for ransomware attacks on cloud drive folders
US20180054449A1 (en) * 2016-08-18 2018-02-22 Qualcomm Incorporated Methods and Systems for Protecting Computing Devices from Non-Benign Software Applications via Collaborative Application Detonation
US10496820B2 (en) * 2016-08-23 2019-12-03 Microsoft Technology Licensing, Llc Application behavior information
US10592678B1 (en) 2016-09-09 2020-03-17 Fireeye, Inc. Secure communications between peers using a verified virtual trusted platform module
US20180075233A1 (en) * 2016-09-13 2018-03-15 Veracode, Inc. Systems and methods for agent-based detection of hacking attempts
US10242187B1 (en) * 2016-09-14 2019-03-26 Symantec Corporation Systems and methods for providing integrated security management
US10200259B1 (en) 2016-09-21 2019-02-05 Symantec Corporation Systems and methods for detecting obscure cyclic application-layer message sequences in transport-layer message sequences
US10491627B1 (en) 2016-09-29 2019-11-26 Fireeye, Inc. Advanced malware detection using similarity analysis
US11063758B1 (en) 2016-11-01 2021-07-13 F5 Networks, Inc. Methods for facilitating cipher selection and devices thereof
US10505792B1 (en) 2016-11-02 2019-12-10 F5 Networks, Inc. Methods for facilitating network traffic analytics and devices thereof
US10795991B1 (en) 2016-11-08 2020-10-06 Fireeye, Inc. Enterprise search
US10354173B2 (en) * 2016-11-21 2019-07-16 Cylance Inc. Icon based malware detection
US10587647B1 (en) 2016-11-22 2020-03-10 Fireeye, Inc. Technique for malware detection capability comparison of network security devices
US9906545B1 (en) 2016-11-22 2018-02-27 Symantec Corporation Systems and methods for identifying message payload bit fields in electronic communications
US10581879B1 (en) 2016-12-22 2020-03-03 Fireeye, Inc. Enhanced malware detection for generated objects
US10552610B1 (en) 2016-12-22 2020-02-04 Fireeye, Inc. Adaptive virtual machine snapshot update framework for malware behavioral analysis
US10523609B1 (en) 2016-12-27 2019-12-31 Fireeye, Inc. Multi-vector malware detection and analysis
CN110235460B (en) * 2017-01-22 2021-06-08 华为技术有限公司 Application download monitoring method, mobile terminal, server and storage medium
US10628585B2 (en) 2017-01-23 2020-04-21 Microsoft Technology Licensing, Llc Ransomware resilient databases
US11496438B1 (en) 2017-02-07 2022-11-08 F5, Inc. Methods for improved network security using asymmetric traffic delivery and devices thereof
US10496993B1 (en) 2017-02-15 2019-12-03 Square, Inc. DNS-based device geolocation
US10791119B1 (en) 2017-03-14 2020-09-29 F5 Networks, Inc. Methods for temporal password injection and devices thereof
US10812266B1 (en) 2017-03-17 2020-10-20 F5 Networks, Inc. Methods for managing security tokens based on security violations and devices thereof
US10904286B1 (en) 2017-03-24 2021-01-26 Fireeye, Inc. Detection of phishing attacks using similarity analysis
US10791138B1 (en) 2017-03-30 2020-09-29 Fireeye, Inc. Subscription-based malware detection
US10902119B1 (en) 2017-03-30 2021-01-26 Fireeye, Inc. Data extraction system for malware analysis
US10798112B2 (en) 2017-03-30 2020-10-06 Fireeye, Inc. Attribute-controlled malware detection
US10848397B1 (en) 2017-03-30 2020-11-24 Fireeye, Inc. System and method for enforcing compliance with subscription requirements for cyber-attack detection service
US10931662B1 (en) 2017-04-10 2021-02-23 F5 Networks, Inc. Methods for ephemeral authentication screening and devices thereof
US9864956B1 (en) 2017-05-01 2018-01-09 SparkCognition, Inc. Generation and use of trained file classifiers for malware detection
US10972453B1 (en) 2017-05-03 2021-04-06 F5 Networks, Inc. Methods for token refreshment based on single sign-on (SSO) for federated identity environments and devices thereof
US10326788B1 (en) 2017-05-05 2019-06-18 Symantec Corporation Systems and methods for identifying suspicious controller area network messages
US11343237B1 (en) 2017-05-12 2022-05-24 F5, Inc. Methods for managing a federated identity environment using security and access control data and devices thereof
US11122042B1 (en) 2017-05-12 2021-09-14 F5 Networks, Inc. Methods for dynamically managing user access control and devices thereof
US10218697B2 (en) 2017-06-09 2019-02-26 Lookout, Inc. Use of device risk evaluation to manage access to services
GB2563618B (en) * 2017-06-20 2020-09-16 Arm Ip Ltd Electronic system vulnerability assessment
US10552308B1 (en) 2017-06-23 2020-02-04 Square, Inc. Analyzing attributes of memory mappings to identify processes running on a device
US10601848B1 (en) 2017-06-29 2020-03-24 Fireeye, Inc. Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US10855700B1 (en) 2017-06-29 2020-12-01 Fireeye, Inc. Post-intrusion detection of cyber-attacks during lateral movement within networks
US10503904B1 (en) 2017-06-29 2019-12-10 Fireeye, Inc. Ransomware detection and mitigation
US10893068B1 (en) 2017-06-30 2021-01-12 Fireeye, Inc. Ransomware file modification prevention technique
US10616252B2 (en) 2017-06-30 2020-04-07 SparkCognition, Inc. Automated detection of malware using trained neural network-based file classifiers and machine learning
US10305923B2 (en) 2017-06-30 2019-05-28 SparkCognition, Inc. Server-supported malware detection and protection
CN109214182B (en) * 2017-07-03 2022-04-15 阿里巴巴集团控股有限公司 Method for processing Lesox software in running of virtual machine under cloud platform
US10783239B2 (en) * 2017-08-01 2020-09-22 Pc Matic, Inc. System, method, and apparatus for computer security
US11487868B2 (en) * 2017-08-01 2022-11-01 Pc Matic, Inc. System, method, and apparatus for computer security
US10873588B2 (en) * 2017-08-01 2020-12-22 Pc Matic, Inc. System, method, and apparatus for computer security
US10873589B2 (en) 2017-08-08 2020-12-22 Sonicwall Inc. Real-time prevention of malicious content via dynamic analysis
US11122083B1 (en) 2017-09-08 2021-09-14 F5 Networks, Inc. Methods for managing network connections based on DNS data and network policies and devices thereof
US10747872B1 (en) 2017-09-27 2020-08-18 Fireeye, Inc. System and method for preventing malware evasion
US10805346B2 (en) 2017-10-01 2020-10-13 Fireeye, Inc. Phishing attack detection
US11151252B2 (en) 2017-10-13 2021-10-19 Sonicwall Inc. Just in time memory analysis for malware detection
US11108809B2 (en) 2017-10-27 2021-08-31 Fireeye, Inc. System and method for analyzing binary code for malware classification using artificial neural network techniques
US11636416B2 (en) 2017-11-13 2023-04-25 Tracker Networks Inc. Methods and systems for risk data generation and management
US11271955B2 (en) 2017-12-28 2022-03-08 Fireeye Security Holdings Us Llc Platform and method for retroactive reclassification employing a cybersecurity-based global data store
US11240275B1 (en) 2017-12-28 2022-02-01 Fireeye Security Holdings Us Llc Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture
US11005860B1 (en) 2017-12-28 2021-05-11 Fireeye, Inc. Method and system for efficient cybersecurity analysis of endpoint events
US10685110B2 (en) 2017-12-29 2020-06-16 Sonicwall Inc. Detection of exploitative program code
US10715536B2 (en) 2017-12-29 2020-07-14 Square, Inc. Logical validation of devices against fraud and tampering
US10523679B2 (en) 2018-01-09 2019-12-31 Motorola Solutions, Inc. Systems and methods for improving privacy in vehicular ad hoc network
US10902122B2 (en) 2018-01-31 2021-01-26 Sonicwall Inc. Just in time memory analysis for malware detection
US10831883B1 (en) * 2018-03-16 2020-11-10 NortonLifeLock Inc. Preventing application installation using system-level messages
US11658995B1 (en) 2018-03-20 2023-05-23 F5, Inc. Methods for dynamically mitigating network attacks and devices thereof
US10826931B1 (en) 2018-03-29 2020-11-03 Fireeye, Inc. System and method for predicting and mitigating cybersecurity system misconfigurations
US11558401B1 (en) 2018-03-30 2023-01-17 Fireeye Security Holdings Us Llc Multi-vector malware detection data sharing system for improved detection
US11003773B1 (en) 2018-03-30 2021-05-11 Fireeye, Inc. System and method for automatically generating malware detection rule recommendations
US10956477B1 (en) 2018-03-30 2021-03-23 Fireeye, Inc. System and method for detecting malicious scripts through natural language processing modeling
US11232201B2 (en) 2018-05-14 2022-01-25 Sonicwall Inc. Cloud based just in time memory analysis for malware detection
WO2019229503A1 (en) * 2018-05-31 2019-12-05 Pratik Sharma Application specific malware detection in a co-processing system
US10911487B2 (en) * 2018-06-20 2021-02-02 Checkpoint Mobile Security Ltd On-device network protection
US11314859B1 (en) 2018-06-27 2022-04-26 FireEye Security Holdings, Inc. Cyber-security system and method for detecting escalation of privileges within an access token
US11075930B1 (en) 2018-06-27 2021-07-27 Fireeye, Inc. System and method for detecting repetitive cybersecurity attacks constituting an email campaign
US11228491B1 (en) 2018-06-28 2022-01-18 Fireeye Security Holdings Us Llc System and method for distributed cluster configuration monitoring and management
US11316900B1 (en) 2018-06-29 2022-04-26 FireEye Security Holdings Inc. System and method for automatically prioritizing rules for cyber-threat detection and mitigation
US11044200B1 (en) 2018-07-06 2021-06-22 F5 Networks, Inc. Methods for service stitching using a packet header and devices thereof
US10333976B1 (en) 2018-07-23 2019-06-25 Illusive Networks Ltd. Open source intelligence deceptions
US10404747B1 (en) 2018-07-24 2019-09-03 Illusive Networks Ltd. Detecting malicious activity by using endemic network hosts as decoys
US10382483B1 (en) 2018-08-02 2019-08-13 Illusive Networks Ltd. User-customized deceptions and their deployment in networks
US11294865B2 (en) 2018-08-13 2022-04-05 Citrix Systems, Inc. Using a scan data ledger for distributed security analysis of shared content
US10333977B1 (en) 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
US11068614B2 (en) * 2018-08-30 2021-07-20 Dell Products, L.P. System-level data security based on environmental properties
US10432665B1 (en) 2018-09-03 2019-10-01 Illusive Networks Ltd. Creating, managing and deploying deceptions on mobile devices
US11182473B1 (en) 2018-09-13 2021-11-23 Fireeye Security Holdings Us Llc System and method for mitigating cyberattacks against processor operability by a guest process
US11507958B1 (en) 2018-09-26 2022-11-22 Block, Inc. Trust-based security for transaction payments
US11494762B1 (en) 2018-09-26 2022-11-08 Block, Inc. Device driver for contactless payments
US11763004B1 (en) 2018-09-27 2023-09-19 Fireeye Security Holdings Us Llc System and method for bootkit detection
US10958677B2 (en) * 2018-12-18 2021-03-23 At&T Intellectual Property I, L.P. Risk identification for unlabeled threats in network traffic
US11368475B1 (en) 2018-12-21 2022-06-21 Fireeye Security Holdings Us Llc System and method for scanning remote services to locate stored objects with malware
US11272251B2 (en) * 2019-04-29 2022-03-08 See A Star LLC Audio-visual portion generation from a live video stream
US20200372183A1 (en) * 2019-05-21 2020-11-26 Hewlett Packard Enterprise Development Lp Digitally Signing Software Packages With Hash Values
US11153315B2 (en) * 2019-05-30 2021-10-19 Bank Of America Corporation Controlling access to secure information resources using rotational datasets and dynamically configurable data containers
US11165777B2 (en) 2019-05-30 2021-11-02 Bank Of America Corporation Controlling access to secure information resources using rotational datasets and dynamically configurable data containers
US11138328B2 (en) 2019-05-30 2021-10-05 Bank Of America Corporation Controlling access to secure information resources using rotational datasets and dynamically configurable data containers
US11258806B1 (en) 2019-06-24 2022-02-22 Mandiant, Inc. System and method for automatically associating cybersecurity intelligence to cyberthreat actors
US11321481B1 (en) * 2019-06-26 2022-05-03 Norton LifeLock, Inc. Method for determining to grant or deny a permission request based on empirical data aggregation
US11556640B1 (en) 2019-06-27 2023-01-17 Mandiant, Inc. Systems and methods for automated cybersecurity analysis of extracted binary string sets
US11392700B1 (en) 2019-06-28 2022-07-19 Fireeye Security Holdings Us Llc System and method for supporting cross-platform data verification
US11580163B2 (en) 2019-08-16 2023-02-14 Palo Alto Networks, Inc. Key-value storage for URL categorization
US11748433B2 (en) 2019-08-16 2023-09-05 Palo Alto Networks, Inc. Communicating URL categorization information
US11886585B1 (en) 2019-09-27 2024-01-30 Musarubra Us Llc System and method for identifying and mitigating cyberattacks through malicious position-independent code execution
US11637862B1 (en) 2019-09-30 2023-04-25 Mandiant, Inc. System and method for surfacing cyber-security threats with a self-learning recommendation engine
US11514187B1 (en) * 2019-11-26 2022-11-29 Wells Fargo Bank, N.A. Systems and methods for managing the processing of customer information within a global enterprise
US11829467B2 (en) 2019-12-18 2023-11-28 Zscaler, Inc. Dynamic rules engine in a cloud-based sandbox
US11323482B2 (en) * 2019-12-31 2022-05-03 Mcafee, Llc Methods, systems, and media for protecting computer systems from user-created objects
US20220012001A1 (en) * 2020-07-09 2022-01-13 Jpmorgan Chase Bank, N.A. Method and apparatus for implementing an application agnostic framework module
US11604674B2 (en) * 2020-09-04 2023-03-14 Elasticsearch B.V. Systems and methods for detecting and filtering function calls within processes for malware behavior
US11675901B2 (en) * 2020-12-22 2023-06-13 Mcafee, Llc Malware detection from operating system event tracing
KR20240003616A (en) * 2022-07-01 2024-01-09 주식회사 안랩 Action scan service system and control method for action scan service

Citations (235)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3416032A (en) 1966-03-23 1968-12-10 Motorola Inc Lamp dimming circuit
US4553257A (en) 1982-04-28 1985-11-12 Pioneer Electronic Corp. Automatic sound volume control device
US5319776A (en) 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US5574775A (en) 1993-08-04 1996-11-12 Lucent Technologies, Inc. Universal wireless radiotelephone system
US5715518A (en) 1996-03-06 1998-02-03 Cellular Technical Services Company, Inc. Adaptive waveform matching for use in transmitter identification
US6185689B1 (en) 1998-06-24 2001-02-06 Richard S. Carson & Assoc., Inc. Method for network self security assessment
US6269456B1 (en) 1997-12-31 2001-07-31 Network Associates, Inc. Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6272353B1 (en) 1999-08-20 2001-08-07 Siemens Information And Communication Mobile Llc. Method and system for mobile communications
US6301668B1 (en) 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US20010044339A1 (en) 2000-02-17 2001-11-22 Angel Cordero Multi-player computer game, system and method
US20020042886A1 (en) 2000-08-31 2002-04-11 Pasi Lahti Software virus protection
US20020087483A1 (en) 2000-12-29 2002-07-04 Shlomi Harif System, method and program for creating and distributing processes in a heterogeneous network
US20020108058A1 (en) 2001-02-08 2002-08-08 Sony Corporation And Sony Electronics Inc. Anti-theft system for computers and other electronic devices
US6453345B2 (en) 1996-11-06 2002-09-17 Datadirect Networks, Inc. Network security and surveillance system
US20020183060A1 (en) 2001-05-07 2002-12-05 Lg Electronics Inc. Map message processing system and method for interworking between heterogeneous networks
US20020191018A1 (en) 2001-05-31 2002-12-19 International Business Machines Corporation System and method for implementing a graphical user interface across dissimilar platforms yet retaining similar look and feel
US20030028803A1 (en) 2001-05-18 2003-02-06 Bunker Nelson Waldo Network vulnerability assessment system and method
US6529143B2 (en) 1998-10-23 2003-03-04 Nokia Mobile Phones Ltd. Information retrieval system
US20030046134A1 (en) 2001-08-28 2003-03-06 Frolick Harry A. Web-based project management system
US20030079145A1 (en) 2001-08-01 2003-04-24 Networks Associates Technology, Inc. Platform abstraction layer for a wireless malware scanning engine
US20030115485A1 (en) 2001-12-14 2003-06-19 Milliken Walter Clark Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
US20030120951A1 (en) 2001-12-21 2003-06-26 Gartside Paul Nicholas Generating malware definition data for mobile computing devices
US20030131148A1 (en) 2002-01-10 2003-07-10 David Kelley Cross-platform software development with a software development peripheral
US20040022258A1 (en) 2002-07-30 2004-02-05 Docomo Communications Laboratories Usa, Inc. System for providing access control platform service for private networks
US6696941B2 (en) 2001-09-04 2004-02-24 Agere Systems Inc. Theft alarm in mobile device
US20040133624A1 (en) 2003-01-06 2004-07-08 Seung-Joon Park Method and apparatus for performing common call processing management using common software platform
US20040158741A1 (en) 2003-02-07 2004-08-12 Peter Schneider System and method for remote virus scanning in wireless networks
US6792543B2 (en) 2001-08-01 2004-09-14 Networks Associates Technology, Inc. Virus scanning on thin client devices using programmable assembly language
US20040185900A1 (en) 2003-03-20 2004-09-23 Mcelveen William Cell phone with digital camera and smart buttons and methods for using the phones for security monitoring
US20040209608A1 (en) 2003-04-17 2004-10-21 Ntt Docomo, Inc. API system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework
US20040225887A1 (en) 2003-05-08 2004-11-11 O'neil Douglas R. Centralized authentication system
US20040259532A1 (en) 2001-10-31 2004-12-23 Markus Isomaki Method for handling of messages between a terminal and a data network
US20050010821A1 (en) 2003-04-29 2005-01-13 Geoffrey Cooper Policy-based vulnerability assessment
US20050015443A1 (en) 2000-10-10 2005-01-20 Alex Levine Personal message delivery system
US20050076246A1 (en) 2003-10-01 2005-04-07 Singhal Tara Chand Method and apparatus for network security using a router based authentication system
US20050074106A1 (en) 2002-11-14 2005-04-07 Alcatel Call establishment method
US20050091308A1 (en) 2003-09-29 2005-04-28 Peter Bookman Mobility device
US6892225B1 (en) 2000-07-19 2005-05-10 Fusionone, Inc. Agent system for a secure remote access system
US6907530B2 (en) 2001-01-19 2005-06-14 V-One Corporation Secure internet applications with mobile code
US20050130627A1 (en) 2003-11-26 2005-06-16 Benoit Calmels Authentication between a cellular phone and an access point of a short-range network
US20050138395A1 (en) 2003-12-18 2005-06-23 Benco David S. Network support for mobile handset anti-virus protection
US20050138413A1 (en) 2003-12-11 2005-06-23 Richard Lippmann Network security planning architecture
US20050138450A1 (en) 2003-12-19 2005-06-23 Cheng-Hsueh Hsieh Apparatus and method for power performance monitors for low-power program tuning
US20050154796A1 (en) 2002-03-06 2005-07-14 Forsyth John M. Method of enabling a wireless information device to access data services
US20050186954A1 (en) 2004-02-20 2005-08-25 Tom Kenney Systems and methods that provide user and/or network personal data disabling commands for mobile devices
US20050197099A1 (en) 2004-03-08 2005-09-08 Lan-Ver Technologies Solutions Ltd. Cellular device security apparatus and method
US20050221800A1 (en) 2004-03-31 2005-10-06 Jackson Riley W Method for remote lockdown of a mobile computer
US20050227669A1 (en) 2004-04-08 2005-10-13 Ixi Mobile (R&D) Ltd. Security key management system and method in a mobile communication network
US6959184B1 (en) 1999-06-30 2005-10-25 Lucent Technologies Inc. Method for determining the security status of transmissions in a telecommunications network
WO2005101789A1 (en) 2004-04-14 2005-10-27 Gurunath Samir Kalekar A system for real-time network based vulnerability assessment of a host/device
US20050237970A1 (en) 2000-09-14 2005-10-27 Kabushiki Kaisha Toshiba Packet transfer scheme using mobile terminal and router for preventing attacks using global address
US20050254654A1 (en) 2004-04-19 2005-11-17 The Boeing Company Security state vector for mobile network platform
US20050278777A1 (en) 2004-06-14 2005-12-15 Hackerproof Security, Inc. Method and system for enforcing secure network connection
US20050282533A1 (en) 2004-03-22 2005-12-22 Vadim Draluk Method and apparatus for dynamic extension of device management tree data model on a mobile
US20060026283A1 (en) 2004-07-30 2006-02-02 Trueba Luis Ruben Z System and method for updating software on a computer
US7020895B2 (en) 1999-12-24 2006-03-28 F-Secure Oyj Remote computer virus scanning
US7023383B2 (en) 1999-01-08 2006-04-04 Trueposition, Inc. Multiple pass location processor
US20060073820A1 (en) 2002-10-10 2006-04-06 Craswell Ronald J Method and apparatus for remote control and updating of wireless mobile devices
US20060080680A1 (en) 2004-10-12 2006-04-13 Majid Anwar Platform independent dynamic linking
US20060095454A1 (en) 2004-10-29 2006-05-04 Texas Instruments Incorporated System and method for secure collaborative terminal identity authentication between a wireless communication device and a wireless operator
US20060101518A1 (en) 2004-11-05 2006-05-11 Schumaker Troy T Method to generate a quantitative measurement of computer security vulnerabilities
US20060130145A1 (en) 2004-11-20 2006-06-15 Choi Byeong C System and method for analyzing malicious code protocol and generating harmful traffic
US7069589B2 (en) 2000-07-14 2006-06-27 Computer Associates Think, Inc.. Detection of a class of viral code
US20060150256A1 (en) 2004-12-03 2006-07-06 Whitecell Software Inc. A Delaware Corporation Secure system for allowing the execution of authorized computer program code
US20060150238A1 (en) 2005-01-04 2006-07-06 Symbol Technologies, Inc. Method and apparatus of adaptive network policy management for wireless mobile computers
US20060179485A1 (en) 2005-02-09 2006-08-10 Gary Longsine Intrusion handling system and method for a packet network with dynamic network address utilization
US20060218482A1 (en) 2002-04-19 2006-09-28 Droplet Technology, Inc. Mobile imaging application, device architecture, service platform architecture and services
US20060217115A1 (en) 2005-03-18 2006-09-28 Cassett Tia M Methods and apparatus for monitoring configurable performance levels in a wireless device
US20060224742A1 (en) 2005-02-28 2006-10-05 Trust Digital Mobile data security system and methods
US7123933B2 (en) 2001-05-31 2006-10-17 Orative Corporation System and method for remote application management of a wireless device
US20060236325A1 (en) 2005-03-21 2006-10-19 Rao Bindu R Mobile device client
WO2006110181A2 (en) 2004-10-29 2006-10-19 Skyhook Wireless, Inc. Location beacon database and server, method of building location beacon database, and location based service using same
US7127455B2 (en) 2002-11-12 2006-10-24 Hewlett-Packard Development Company, L.P. Taxonomy for mobile e-services
US20060253205A1 (en) 2005-05-09 2006-11-09 Michael Gardiner Method and apparatus for tabular process control
US20060253584A1 (en) 2005-05-03 2006-11-09 Dixon Christopher J Reputation of an entity associated with a content item
US20060272011A1 (en) 2000-06-30 2006-11-30 Internet Security Systems, Inc. Method and apparatus for network assessment and authentication
US20060277408A1 (en) 2005-06-03 2006-12-07 Bhat Sathyanarayana P System and method for monitoring and maintaining a wireless device
US20060294582A1 (en) 2005-06-28 2006-12-28 Symbol Technologies, Inc. Mobility policy manager for mobile computing devices
US7159237B2 (en) 2000-03-16 2007-01-02 Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response
US20070005327A1 (en) 2000-01-24 2007-01-04 Radioscape Limited Digital wireless basestation
US20070011319A1 (en) 2002-01-15 2007-01-11 Mcclure Stuart C System and method for network vulnerability detection and reporting
US20070015519A1 (en) 2005-07-12 2007-01-18 Qwest Communications International Inc. User defined location based notification for a mobile communications device systems and methods
US20070016953A1 (en) 2005-06-30 2007-01-18 Prevx Limited Methods and apparatus for dealing with malware
US20070016955A1 (en) 2004-09-24 2007-01-18 Ygor Goldberg Practical threat analysis
US20070021112A1 (en) 2005-07-21 2007-01-25 Sun Microsystems, Inc. Method and system for ensuring mobile data security
US20070028303A1 (en) 2005-07-29 2007-02-01 Bit 9, Inc. Content tracking in a network security system
US20070028304A1 (en) 2005-07-29 2007-02-01 Bit 9, Inc. Centralized timed analysis in a network security system
US20070028095A1 (en) 2005-07-28 2007-02-01 Allen David L Security certificate management
US7178166B1 (en) 2000-09-19 2007-02-13 Internet Security Systems, Inc. Vulnerability assessment and authentication of a computer by a local scanner
US20070038677A1 (en) 2005-07-27 2007-02-15 Microsoft Corporation Feedback-driven malware detector
US7181252B2 (en) 2002-12-10 2007-02-20 Nokia Corporation System and method for performing security functions of a mobile station
US20070050471A1 (en) 2005-08-31 2007-03-01 Microsoft Corporation Portable Remoting Component With A Scaleable Feature Set
US20070086476A1 (en) 2001-07-20 2007-04-19 Smartmatic, Corp. Method for smart device network application infrastructure (SDNA)
US20070089165A1 (en) 2005-10-15 2007-04-19 Huawei Technologies Co. Ltd. Method and System for Network Security Control
US7210168B2 (en) 2001-10-15 2007-04-24 Mcafee, Inc. Updating malware definition data for mobile data processing devices
US20070090954A1 (en) 2005-04-14 2007-04-26 Kevin Mahaffey RFID security system and methods
US7228566B2 (en) 2001-07-10 2007-06-05 Core Sdi, Incorporated Automated computer system security compromise
US7237264B1 (en) 2001-06-04 2007-06-26 Internet Security Systems, Inc. System and method for preventing network misuse
US7236598B2 (en) 2000-05-23 2007-06-26 Invicta Networks, Inc. Systems and methods for communication protection
US20070154014A1 (en) 2005-12-30 2007-07-05 Selim Aissi Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel
US20070174472A1 (en) 2006-01-20 2007-07-26 Verimatrix, Inc. Network security system and method
US20070186282A1 (en) 2006-02-06 2007-08-09 Microsoft Corporation Techniques for identifying and managing potentially harmful web traffic
US20070190995A1 (en) 2006-02-13 2007-08-16 Nokia Corporation Remote control of a mobile device
US7266810B2 (en) 2002-04-09 2007-09-04 Hewlett-Packard Development Company, Lp. Runtime profiling of platform-independent software applications
US20070214504A1 (en) 2004-03-30 2007-09-13 Paolo Milani Comparetti Method And System For Network Intrusion Detection, Related Network And Computer Program Product
US20070240222A1 (en) * 2006-04-06 2007-10-11 George Tuvell System and Method for Managing Malware Protection on Mobile Devices
US20070248047A1 (en) 2006-01-31 2007-10-25 Peter Shorty Home electrical device control within a wireless mesh network
US20070250627A1 (en) 2006-04-21 2007-10-25 May Robert A Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer
US7290276B2 (en) 2003-02-06 2007-10-30 Lenovo Singapore Pte. Ltd. Information processing apparatus for secure information recovery
US7304570B2 (en) 2005-08-10 2007-12-04 Scenera Technologies, Llc Methods, systems, and computer program products for providing context-based, hierarchical security for a mobile device
US7308256B2 (en) 2002-02-28 2007-12-11 Ntt Docomo, Inc. Mobile communication terminal, information processing apparatus, relay server apparatus, information processing system, and information processing method
US7308712B2 (en) 2001-12-31 2007-12-11 Mcafee, Inc. Automated computer vulnerability resolution system
US20070293263A1 (en) 2006-06-14 2007-12-20 Hossein Eslambolchi Method and apparatus for providing multi-system cellular communications
US20070297610A1 (en) 2006-06-23 2007-12-27 Microsoft Corporation Data protection for a mobile device
WO2007081356A3 (en) 2005-02-22 2008-01-10 Skyhook Wireless Inc Continuous data optimization in positioning system
WO2008007111A1 (en) 2006-07-14 2008-01-17 Vodaphone Group Plc Telecommunications device security
US7325249B2 (en) 2001-04-30 2008-01-29 Aol Llc Identifying unwanted electronic messages
US20080028470A1 (en) 2006-07-25 2008-01-31 Mark Remington Systems and Methods for Vulnerability Detection and Scoring with Threat Assessment
US20080046557A1 (en) 2005-03-23 2008-02-21 Cheng Joseph C Method and system for designing, implementing, and managing client applications on mobile devices
US20080047007A1 (en) 2006-08-18 2008-02-21 Microsoft Corporation Network security page
US20080046369A1 (en) 2006-07-27 2008-02-21 Wood Charles B Password Management for RSS Interfaces
US20080049653A1 (en) 2006-08-28 2008-02-28 Mustafa Demirhan Battery level based configuration of a mobile station by a base station
US20080065507A1 (en) 2006-09-12 2008-03-13 James Morrison Interactive digital media services
US20080070495A1 (en) 2006-08-18 2008-03-20 Michael Stricklen Mobile device management
US20080072329A1 (en) 2006-09-14 2008-03-20 Interdigital Technology Corporation Method and system for enhancing flow of behavior metrics and evaluation of security of a node
US7356835B2 (en) 2003-08-26 2008-04-08 Mitel Networks Corporation Security monitor for PDA attached telephone
US20080086776A1 (en) 2006-10-06 2008-04-10 George Tuvell System and method of malware sample collection on mobile networks
US20080086773A1 (en) 2006-10-06 2008-04-10 George Tuvell System and method of reporting and visualizing malware on mobile networks
US20080109871A1 (en) 2006-09-13 2008-05-08 Richard Jacobs Policy management
WO2008057737A2 (en) 2006-11-07 2008-05-15 Skyhook Wireless, Inc. System and method for estimating positioning error within a wlan-based positioning system
US7376969B1 (en) 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
US20080127336A1 (en) 2006-09-19 2008-05-29 Microsoft Corporation Automated malware signature generation
US20080127334A1 (en) 2006-09-14 2008-05-29 Computer Associates Think, Inc. System and method for using rules to protect against malware
US20080127171A1 (en) 2006-09-15 2008-05-29 Altiris, Inc. Method and System for Creating and Executing Generic Software Packages
US20080127179A1 (en) 2006-09-25 2008-05-29 Barrie Jon Moss System and apparatus for deployment of application and content to different platforms
US20080134281A1 (en) 2006-11-30 2008-06-05 Mcafee, Inc. Method and system for enhanced wireless network security
US20080132218A1 (en) 2006-11-30 2008-06-05 Yuval Samson Method and Apparatus for Starting Applications
US7386297B2 (en) 2002-12-28 2008-06-10 Curitel Communications, Inc. Mobile communication system and mobile terminal having function of inactivating mobile communication viruses, and method thereof
US20080140767A1 (en) 2006-06-14 2008-06-12 Prasad Rao Divitas description protocol and methods therefor
US20080148381A1 (en) 2006-10-30 2008-06-19 Jeffrey Aaron Methods, systems, and computer program products for automatically configuring firewalls
US7392543B2 (en) 2003-06-30 2008-06-24 Symantec Corporation Signature extraction system and method
US7397424B2 (en) 2005-02-03 2008-07-08 Mexens Intellectual Property Holding, Llc System and method for enabling continuous geographic location estimation for wireless computing devices
US7397434B2 (en) 2005-09-16 2008-07-08 Samsung Electro-Mechanics Co., Ltd. Built-in antenna module of wireless communication terminal
US20080172746A1 (en) 2007-01-17 2008-07-17 Lotter Robert A Mobile communication device monitoring systems and methods
US20080178294A1 (en) 2006-11-27 2008-07-24 Guoning Hu Wireless intrusion prevention system and method
US20080181116A1 (en) 2007-01-17 2008-07-31 Richard Thomas Kavanaugh Quality of service application programming interface over socket
US20080196104A1 (en) 2007-02-09 2008-08-14 George Tuvell Off-line mms malware scanning system and method
US7415270B2 (en) 2002-02-15 2008-08-19 Telefonaktiebolaget L M Ericsson (Publ) Middleware services layer for platform system for mobile terminals
US20080200160A1 (en) 2006-09-28 2008-08-21 Dudley Fitzpatrick Apparatuses, Methods and Systems for Ambiguous Code-Triggered Information Querying and Serving on Mobile Devices
US20080209557A1 (en) 2007-02-28 2008-08-28 Microsoft Corporation Spyware detection mechanism
US20080208950A1 (en) 2004-08-19 2008-08-28 Sk Telecom Co., Ltd. Method and Apparatus for Integrating and Managing Information of Mobile Terminal
US20080235801A1 (en) * 2007-03-20 2008-09-25 Microsoft Corporation Combining assessment models and client targeting to identify network security vulnerabilities
US20080276111A1 (en) 2004-09-03 2008-11-06 Jacoby Grant A Detecting Software Attacks By Monitoring Electric Power Consumption Patterns
US20080293396A1 (en) 2007-05-23 2008-11-27 Robert John Barnes Integrating Mobile Device Based Communication Session Recordings
US20080307243A1 (en) 2007-02-16 2008-12-11 Lee Michael M Anticipatory Power Management for Battery-Powered Electronic Device
US7467206B2 (en) 2002-12-23 2008-12-16 Microsoft Corporation Reputation system for web services
US20080318562A1 (en) 2007-03-02 2008-12-25 Aegis Mobility, Inc. System and methods for monitoring the context associated with a mobile communication device
US7472422B1 (en) 2003-09-10 2008-12-30 Symantec Corporation Security management system including feedback and control
US7471954B2 (en) 2006-02-24 2008-12-30 Skyhook Wireless, Inc. Methods and systems for estimating a user position in a WLAN positioning system based on user assigned access point locations
US7502620B2 (en) 2005-03-04 2009-03-10 Shyhook Wireless, Inc. Encoding and compression of a location beacon database
US7515578B2 (en) 2006-05-08 2009-04-07 Skyhook Wireless, Inc. Estimation of position using WLAN access point radio propagation characteristics in a WLAN positioning system
US7525541B2 (en) 2004-04-05 2009-04-28 Actuality Systems, Inc. Data processing for three-dimensional displays
US7551579B2 (en) 2006-05-08 2009-06-23 Skyhook Wireless, Inc. Calculation of quality of wlan access point characterization for use in a wlan positioning system
US7551929B2 (en) 2006-05-08 2009-06-23 Skyhook Wireless, Inc. Estimation of speed and direction of travel in a WLAN positioning system using multiple position estimations
US20090172227A1 (en) 2007-12-27 2009-07-02 Igt Serial advanced technology attachment write protection: mass storage data protection device
US20090199298A1 (en) 2007-06-26 2009-08-06 Miliefsky Gary S Enterprise security management for network equipment
US20090205047A1 (en) 2008-02-08 2009-08-13 Guy Podjarny Method and Apparatus for Security Assessment of a Computing Platform
US20090205016A1 (en) 2007-12-10 2009-08-13 Milas Brian T Policy enforcement using esso
US20090248623A1 (en) 2007-05-09 2009-10-01 The Go Daddy Group, Inc. Accessing digital identity related reputation data
US20090293125A1 (en) * 2008-05-21 2009-11-26 Symantec Corporation Centralized Scanner Database With Qptimal Definition Distribution Using Network Queries
US20100019731A1 (en) 2008-07-24 2010-01-28 Sean Connolly Device and Method for Instantaneous Load Reduction Configuration to Prevent Under Voltage Condition
US20100064341A1 (en) 2006-03-27 2010-03-11 Carlo Aldera System for Enforcing Security Policies on Mobile Communications Devices
US7685132B2 (en) 2006-03-15 2010-03-23 Mog, Inc Automatic meta-data sharing of existing media through social networking
GB2430588B (en) 2005-09-20 2010-03-24 Alireza Mousavi Khalkhali Communication system and method
US7696923B2 (en) 2005-02-03 2010-04-13 Mexens Intellectual Property Holding Llc System and method for determining geographic location of wireless computing devices
US20100097494A1 (en) 2008-10-21 2010-04-22 Qualcomm Incorporated Multimode GPS-Enabled Camera
US20100100959A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. System and method for monitoring and analyzing multiple interfaces and multiple protocols
US20100100964A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. Security status and information display system
US20100100939A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. Secure mobile platform system
US20100100591A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. System and method for a mobile cross-platform software system
US20100100963A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. System and method for attack and malware prevention
US20100154032A1 (en) * 2008-12-12 2010-06-17 International Business Machines Corporation System and Method for Classification of Unwanted or Malicious Software Through the Identification of Encrypted Data Communication
US7768963B2 (en) 2006-07-07 2010-08-03 Skyhook Wireless, Inc. System and method of improving sampling of WLAN packet information to improve estimates of Doppler frequency of a WLAN positioning device
US7774637B1 (en) 2007-09-05 2010-08-10 Mu Dynamics, Inc. Meta-instrumentation for security analysis
US20100210240A1 (en) 2009-02-17 2010-08-19 Flexilis, Inc. System and method for remotely securing or recovering a mobile device
US7783281B1 (en) 2004-04-22 2010-08-24 Sprint Spectrum L.P. Method and system for securing a mobile device
US20100240419A1 (en) 2006-03-28 2010-09-23 Kyocera Corporation Mobile Terminal and Functional Operation Control Method of the Same
US7809353B2 (en) 2006-05-18 2010-10-05 Research In Motion Limited Automatic security action invocation for mobile communications device
US7835754B2 (en) 2006-05-08 2010-11-16 Skyhook Wireless, Inc. Estimation of speed and direction of travel in a WLAN positioning system
US20100313270A1 (en) * 2009-06-05 2010-12-09 The Regents Of The University Of Michigan System and method for detecting energy consumption anomalies and mobile malware variants
US7856373B2 (en) 2006-09-14 2010-12-21 Shah Ullah Targeting content to network-enabled devices based upon stored profiles
US20100332593A1 (en) * 2009-06-29 2010-12-30 Igor Barash Systems and methods for operating an anti-malware network on a cloud computing platform
US20110047594A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for mobile communication device application advisement
US20110047033A1 (en) 2009-02-17 2011-02-24 Lookout, Inc. System and method for mobile device replacement
US20110047620A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
US20110047597A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for security data collection and analysis
US7907966B1 (en) 2005-07-19 2011-03-15 Aol Inc. System and method for cross-platform applications on a wireless phone
US20110119765A1 (en) 2009-11-18 2011-05-19 Flexilis, Inc. System and method for identifying and assessing vulnerabilities on a mobile communication device
US20110145920A1 (en) 2008-10-21 2011-06-16 Lookout, Inc System and method for adverse mobile application identification
US20110171923A1 (en) 2008-05-22 2011-07-14 At&T Mobility Ii Llc Designation Of Cellular Broadcast Message Identifiers For The Commercial Mobile Alert System
US7991854B2 (en) 2004-03-19 2011-08-02 Microsoft Corporation Dynamic session maintenance for mobile computing devices
US7999742B2 (en) 2008-06-06 2011-08-16 Skyhook Wireless, Inc. System and method for using a satellite positioning system to filter WLAN access points in a hybrid positioning system
US8014788B2 (en) 2006-05-08 2011-09-06 Skyhook Wireless, Inc. Estimation of speed of travel using the dynamic signal strength variation of multiple WLAN access points
US20110296510A1 (en) 2010-05-27 2011-12-01 Microsoft Corporation Protecting user credentials using an intermediary component
US8087082B2 (en) 2006-04-29 2011-12-27 Ironport Systems, Inc. Apparatus for filtering server responses
US8108555B2 (en) 2006-11-09 2012-01-31 Yahoo! Inc. System and method for transmission of DNS beacons
US8121617B1 (en) 2008-12-09 2012-02-21 Lagrotta James Thomas Method of remotely locating a mobile device equipped with a radio receiver
US8126456B2 (en) 2007-01-17 2012-02-28 Eagency, Inc. Mobile communication device monitoring systems and methods
US8127358B1 (en) * 2007-05-30 2012-02-28 Trend Micro Incorporated Thin client for computer security applications
WO2012027588A1 (en) 2010-08-25 2012-03-01 Lookout, Inc. System and method for server-coupled malware prevention
US20120072569A1 (en) 2010-02-12 2012-03-22 Verizon Patent And Licensing, Inc. Failure system for domain name system client
US20120110174A1 (en) 2008-10-21 2012-05-03 Lookout, Inc. System and method for a scanning api
US20120124239A1 (en) 2010-11-17 2012-05-17 Hola, Inc. Method and system for increasing speed of domain name system resolution within a computing device
US8195196B2 (en) 2006-12-29 2012-06-05 United States Cellular Corporation Mobility based service in wireless environment
US20120179801A1 (en) 2011-01-07 2012-07-12 Michael Luna System and method for reduction of mobile network traffic used for domain name system (dns) queries
US20120179814A1 (en) 2000-07-19 2012-07-12 Akamai Technologies, Inc. Determination and use of metrics in a domain name service (DNS) system
US20120188064A1 (en) 2009-02-17 2012-07-26 Lookout. Inc., a California Corporation System and method for remotely initiating playing of sound on a mobile device
US20120196571A1 (en) 2009-02-17 2012-08-02 Lookout Inc. System and method for remotely-initiated audio communication
US8261351B1 (en) 2008-01-22 2012-09-04 F5 Networks, Inc. DNS flood protection platform for a network
US8259568B2 (en) 2006-10-23 2012-09-04 Mcafee, Inc. System and method for controlling mobile device access to a network
US8266324B2 (en) 2008-06-12 2012-09-11 International Business Machines Corporation Domain specific domain name service
US8266288B2 (en) 2008-10-23 2012-09-11 International Business Machines Corporation Dynamic expiration of domain name service entries
US20120259954A1 (en) 2005-11-21 2012-10-11 Limelight Networks, Inc. Domain name resolution resource allocation
US20120303735A1 (en) 2006-10-05 2012-11-29 Limelight Networks, Inc. Domain name service resolver
US20120317233A1 (en) 2011-06-13 2012-12-13 International Business Machines Corporation Mobile web app infrastructure
US20120324076A1 (en) 2011-06-14 2012-12-20 Lodgenet Interactive Corporation Method and apparatus for pairing a mobile device to an output device
US20120324568A1 (en) 2011-06-14 2012-12-20 Lookout, Inc., A California Corporation Mobile web protection
US20120324094A1 (en) 2011-06-14 2012-12-20 Lookout, Inc., A California Corporation Mobile device dns optimization
US8346860B2 (en) 2010-10-08 2013-01-01 Lumi Technologies Limited Multi-phased and partitioned content preparation and delivery
US8356080B2 (en) 2011-04-19 2013-01-15 Seven Networks, Inc. System and method for a mobile device to use physical storage of another device for caching
US20130019311A1 (en) 2000-07-19 2013-01-17 Akamai Technologies, Inc. Method and system for handling computer network attacks
US20130023209A1 (en) 2007-11-14 2013-01-24 Blaze Mobile, Inc. Mobile communication device secure near field communication payment transactions with authentication
US8364785B2 (en) 2007-03-12 2013-01-29 Citrix Systems, Inc. Systems and methods for domain name resolution interception caching
US20130041974A1 (en) 2010-11-01 2013-02-14 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US20130047034A1 (en) 2011-08-17 2013-02-21 Lookout, Inc., A California Corporation System and method for mobile device push communications

Family Cites Families (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7975305B2 (en) 1997-11-06 2011-07-05 Finjan, Inc. Method and system for adaptive rule-based content scanners for desktop computers
US7188138B1 (en) 1999-03-22 2007-03-06 Eric Schneider Method, product, and apparatus for resource identifier registration and aftermarket services
US7814180B2 (en) 2000-07-13 2010-10-12 Infoblox, Inc. Domain name service server
CN100346338C (en) 2001-07-12 2007-10-31 捷讯研究有限公司 System and method for providing remote data access and transcoding for a mobile communication device
US7526297B1 (en) 2001-10-30 2009-04-28 Cisco Technology, Inc. Method and system for managing pushed data at a mobile unit
US7159036B2 (en) 2001-12-10 2007-01-02 Mcafee, Inc. Updating data from a source computer to groups of destination computers
US6577274B1 (en) * 2001-12-19 2003-06-10 Intel Corporation Method and apparatus for controlling access to mobile devices
JP3943467B2 (en) 2002-09-18 2007-07-11 株式会社エヌ・ティ・ティ・ドコモ Relay device, information transmission device, and information transmission method
US7526800B2 (en) * 2003-02-28 2009-04-28 Novell, Inc. Administration of protection of data accessible by a mobile device
JP3703457B2 (en) 2003-01-21 2005-10-05 キヤノン株式会社 Address notification method, program, and apparatus
EP1709556A4 (en) * 2003-12-23 2011-08-10 Trust Digital Llc System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
US8037203B2 (en) 2004-02-19 2011-10-11 International Business Machines Corporation User defined preferred DNS reference
WO2006063118A2 (en) 2004-12-07 2006-06-15 Pure Networks, Inc. Network management
CN100364342C (en) 2005-04-26 2008-01-23 华为技术有限公司 Method for push business
US7539882B2 (en) 2005-05-30 2009-05-26 Rambus Inc. Self-powered devices and methods
WO2007045155A1 (en) * 2005-10-15 2007-04-26 Huawei Technologies Co., Ltd. A method for realizing mobile station secure update and correlative reacting system
US7707553B2 (en) 2005-12-08 2010-04-27 International Business Machines Corporation Computer method and system for automatically creating tests for checking software
US7660296B2 (en) 2005-12-30 2010-02-09 Akamai Technologies, Inc. Reliable, high-throughput, high-performance transport and routing mechanism for arbitrary data flows
US20070174490A1 (en) 2006-01-25 2007-07-26 Greystripe Inc. System and methods for managing content in pre-existing mobile applications
US8719391B2 (en) 2006-03-07 2014-05-06 Nokia Corporation Method and system for controlling contextual information push services
US20070253377A1 (en) 2006-04-28 2007-11-01 Motorola, Inc. Apparatus and method for name resolution in an aggregation of mobile networks
US7809936B2 (en) 2006-08-02 2010-10-05 Freescale Semiconductor, Inc. Method and apparatus for reconfiguring a remote device
US8385883B2 (en) 2007-02-06 2013-02-26 Qualcomm Incorporated Apparatus and methods for locating, tracking and/or recovering a wireless communication device
US8504775B2 (en) 2007-03-12 2013-08-06 Citrix Systems, Inc Systems and methods of prefreshening cached objects based on user's current web page
KR20090027000A (en) 2007-09-11 2009-03-16 한국전자통신연구원 Apparatus and method of constructing user behavior pattern based on the event log generated from the context aware system environment
US8972518B2 (en) * 2007-09-20 2015-03-03 Flash Networks Ltd. Integrated data-model and flow based policy system
CN101136837A (en) 2007-09-21 2008-03-05 华为技术有限公司 Push-delivery message control method, device and system
US8099764B2 (en) 2007-12-17 2012-01-17 Microsoft Corporation Secure push and status communication between client and server
US8423306B2 (en) 2008-05-22 2013-04-16 Microsoft Corporation Battery detection and user experience
KR100960262B1 (en) 2008-08-14 2010-06-07 한전케이피에스 주식회사 An endoscope of formed flexible printed circuit film type using imaging device
US8117306B1 (en) 2008-09-29 2012-02-14 Amazon Technologies, Inc. Optimizing content management
US8051166B1 (en) 2008-09-29 2011-11-01 Amazon Technologies, Inc. Service provider optimization of content management
US8401521B2 (en) 2008-11-25 2013-03-19 Broadcom Corporation Enabling remote and anonymous control of mobile and portable multimedia devices for security, tracking and recovery
US8447856B2 (en) 2008-11-25 2013-05-21 Barracuda Networks, Inc. Policy-managed DNS server for to control network traffic
US20100138501A1 (en) 2008-12-03 2010-06-03 Microsoft Corporation End-to-end validation in a push environment
US8935428B2 (en) 2009-06-24 2015-01-13 Broadcom Corporation Fault tolerance approaches for DNS server failures
US8370933B1 (en) 2009-11-24 2013-02-05 Symantec Corporation Systems and methods for detecting the insertion of poisoned DNS server addresses into DHCP servers
US8209491B2 (en) 2010-04-27 2012-06-26 Symantec Corporation Techniques for directory server integration
US8463915B1 (en) 2010-09-17 2013-06-11 Google Inc. Method for reducing DNS resolution delay
US9313085B2 (en) 2010-12-16 2016-04-12 Microsoft Technology Licensing, Llc DNS-based determining whether a device is inside a network
US8806647B1 (en) 2011-04-25 2014-08-12 Twitter, Inc. Behavioral scanning of mobile applications
EP2702500B1 (en) 2011-04-27 2017-07-19 Seven Networks, LLC Detecting and preserving state for satisfying application requests in a distributed proxy and cache system
US8285808B1 (en) 2011-05-20 2012-10-09 Cloudflare, Inc. Loading of web resources
US20120317153A1 (en) 2011-06-07 2012-12-13 Apple Inc. Caching responses for scoped and non-scoped domain name system queries
US9026814B2 (en) 2011-06-17 2015-05-05 Microsoft Technology Licensing, Llc Power and load management based on contextual information

Patent Citations (276)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3416032A (en) 1966-03-23 1968-12-10 Motorola Inc Lamp dimming circuit
US4553257A (en) 1982-04-28 1985-11-12 Pioneer Electronic Corp. Automatic sound volume control device
US5319776A (en) 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US5574775A (en) 1993-08-04 1996-11-12 Lucent Technologies, Inc. Universal wireless radiotelephone system
US5715518A (en) 1996-03-06 1998-02-03 Cellular Technical Services Company, Inc. Adaptive waveform matching for use in transmitter identification
US6453345B2 (en) 1996-11-06 2002-09-17 Datadirect Networks, Inc. Network security and surveillance system
US6269456B1 (en) 1997-12-31 2001-07-31 Network Associates, Inc. Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6185689B1 (en) 1998-06-24 2001-02-06 Richard S. Carson & Assoc., Inc. Method for network self security assessment
US6529143B2 (en) 1998-10-23 2003-03-04 Nokia Mobile Phones Ltd. Information retrieval system
US6301668B1 (en) 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US7023383B2 (en) 1999-01-08 2006-04-04 Trueposition, Inc. Multiple pass location processor
US6959184B1 (en) 1999-06-30 2005-10-25 Lucent Technologies Inc. Method for determining the security status of transmissions in a telecommunications network
US6272353B1 (en) 1999-08-20 2001-08-07 Siemens Information And Communication Mobile Llc. Method and system for mobile communications
US7020895B2 (en) 1999-12-24 2006-03-28 F-Secure Oyj Remote computer virus scanning
US20070005327A1 (en) 2000-01-24 2007-01-04 Radioscape Limited Digital wireless basestation
US20010044339A1 (en) 2000-02-17 2001-11-22 Angel Cordero Multi-player computer game, system and method
US7159237B2 (en) 2000-03-16 2007-01-02 Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response
US7236598B2 (en) 2000-05-23 2007-06-26 Invicta Networks, Inc. Systems and methods for communication protection
US7634800B2 (en) 2000-06-30 2009-12-15 International Business Machines Corporation Method and apparatus for network assessment and authentication
US20060272011A1 (en) 2000-06-30 2006-11-30 Internet Security Systems, Inc. Method and apparatus for network assessment and authentication
US7069589B2 (en) 2000-07-14 2006-06-27 Computer Associates Think, Inc.. Detection of a class of viral code
US20120179814A1 (en) 2000-07-19 2012-07-12 Akamai Technologies, Inc. Determination and use of metrics in a domain name service (DNS) system
US6892225B1 (en) 2000-07-19 2005-05-10 Fusionone, Inc. Agent system for a secure remote access system
US20130019311A1 (en) 2000-07-19 2013-01-17 Akamai Technologies, Inc. Method and system for handling computer network attacks
US20020042886A1 (en) 2000-08-31 2002-04-11 Pasi Lahti Software virus protection
US20070220608A1 (en) 2000-08-31 2007-09-20 F-Secure Oyj Software virus protection
US20050237970A1 (en) 2000-09-14 2005-10-27 Kabushiki Kaisha Toshiba Packet transfer scheme using mobile terminal and router for preventing attacks using global address
US7178166B1 (en) 2000-09-19 2007-02-13 Internet Security Systems, Inc. Vulnerability assessment and authentication of a computer by a local scanner
US20050015443A1 (en) 2000-10-10 2005-01-20 Alex Levine Personal message delivery system
US20020087483A1 (en) 2000-12-29 2002-07-04 Shlomi Harif System, method and program for creating and distributing processes in a heterogeneous network
US6907530B2 (en) 2001-01-19 2005-06-14 V-One Corporation Secure internet applications with mobile code
US20020108058A1 (en) 2001-02-08 2002-08-08 Sony Corporation And Sony Electronics Inc. Anti-theft system for computers and other electronic devices
US7325249B2 (en) 2001-04-30 2008-01-29 Aol Llc Identifying unwanted electronic messages
US20020183060A1 (en) 2001-05-07 2002-12-05 Lg Electronics Inc. Map message processing system and method for interworking between heterogeneous networks
US20030028803A1 (en) 2001-05-18 2003-02-06 Bunker Nelson Waldo Network vulnerability assessment system and method
US20020191018A1 (en) 2001-05-31 2002-12-19 International Business Machines Corporation System and method for implementing a graphical user interface across dissimilar platforms yet retaining similar look and feel
US7123933B2 (en) 2001-05-31 2006-10-17 Orative Corporation System and method for remote application management of a wireless device
US7237264B1 (en) 2001-06-04 2007-06-26 Internet Security Systems, Inc. System and method for preventing network misuse
US7228566B2 (en) 2001-07-10 2007-06-05 Core Sdi, Incorporated Automated computer system security compromise
US20070086476A1 (en) 2001-07-20 2007-04-19 Smartmatic, Corp. Method for smart device network application infrastructure (SDNA)
US20040025042A1 (en) 2001-08-01 2004-02-05 Networks Associates Technology, Inc. Malware scanning user interface for wireless devices
US7171690B2 (en) 2001-08-01 2007-01-30 Mcafee, Inc. Wireless malware scanning back-end system and method
US6792543B2 (en) 2001-08-01 2004-09-14 Networks Associates Technology, Inc. Virus scanning on thin client devices using programmable assembly language
US7861303B2 (en) 2001-08-01 2010-12-28 Mcafee, Inc. Malware scanning wireless service agent system and method
US7096368B2 (en) 2001-08-01 2006-08-22 Mcafee, Inc. Platform abstraction layer for a wireless malware scanning engine
US20030079145A1 (en) 2001-08-01 2003-04-24 Networks Associates Technology, Inc. Platform abstraction layer for a wireless malware scanning engine
US20030046134A1 (en) 2001-08-28 2003-03-06 Frolick Harry A. Web-based project management system
US6696941B2 (en) 2001-09-04 2004-02-24 Agere Systems Inc. Theft alarm in mobile device
US7210168B2 (en) 2001-10-15 2007-04-24 Mcafee, Inc. Updating malware definition data for mobile data processing devices
US20040259532A1 (en) 2001-10-31 2004-12-23 Markus Isomaki Method for handling of messages between a terminal and a data network
US20030115485A1 (en) 2001-12-14 2003-06-19 Milliken Walter Clark Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
US7401359B2 (en) 2001-12-21 2008-07-15 Mcafee, Inc. Generating malware definition data for mobile computing devices
US20030120951A1 (en) 2001-12-21 2003-06-26 Gartside Paul Nicholas Generating malware definition data for mobile computing devices
US7308712B2 (en) 2001-12-31 2007-12-11 Mcafee, Inc. Automated computer vulnerability resolution system
US20050125779A1 (en) 2002-01-10 2005-06-09 Microsoft Corporation Cross-platform software development with a software development peripheral
US20030131148A1 (en) 2002-01-10 2003-07-10 David Kelley Cross-platform software development with a software development peripheral
US20060075388A1 (en) 2002-01-10 2006-04-06 Microsoft Corporation Cross-platform software development with and software development peripheral
US20070011319A1 (en) 2002-01-15 2007-01-11 Mcclure Stuart C System and method for network vulnerability detection and reporting
US7415270B2 (en) 2002-02-15 2008-08-19 Telefonaktiebolaget L M Ericsson (Publ) Middleware services layer for platform system for mobile terminals
US7308256B2 (en) 2002-02-28 2007-12-11 Ntt Docomo, Inc. Mobile communication terminal, information processing apparatus, relay server apparatus, information processing system, and information processing method
US20050154796A1 (en) 2002-03-06 2005-07-14 Forsyth John M. Method of enabling a wireless information device to access data services
US7266810B2 (en) 2002-04-09 2007-09-04 Hewlett-Packard Development Company, Lp. Runtime profiling of platform-independent software applications
US20060218482A1 (en) 2002-04-19 2006-09-28 Droplet Technology, Inc. Mobile imaging application, device architecture, service platform architecture and services
US20040022258A1 (en) 2002-07-30 2004-02-05 Docomo Communications Laboratories Usa, Inc. System for providing access control platform service for private networks
US20060073820A1 (en) 2002-10-10 2006-04-06 Craswell Ronald J Method and apparatus for remote control and updating of wireless mobile devices
US7127455B2 (en) 2002-11-12 2006-10-24 Hewlett-Packard Development Company, L.P. Taxonomy for mobile e-services
US20050074106A1 (en) 2002-11-14 2005-04-07 Alcatel Call establishment method
US7376969B1 (en) 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
US7181252B2 (en) 2002-12-10 2007-02-20 Nokia Corporation System and method for performing security functions of a mobile station
US7467206B2 (en) 2002-12-23 2008-12-16 Microsoft Corporation Reputation system for web services
US7386297B2 (en) 2002-12-28 2008-06-10 Curitel Communications, Inc. Mobile communication system and mobile terminal having function of inactivating mobile communication viruses, and method thereof
US20040133624A1 (en) 2003-01-06 2004-07-08 Seung-Joon Park Method and apparatus for performing common call processing management using common software platform
US7290276B2 (en) 2003-02-06 2007-10-30 Lenovo Singapore Pte. Ltd. Information processing apparatus for secure information recovery
US20040158741A1 (en) 2003-02-07 2004-08-12 Peter Schneider System and method for remote virus scanning in wireless networks
US20040185900A1 (en) 2003-03-20 2004-09-23 Mcelveen William Cell phone with digital camera and smart buttons and methods for using the phones for security monitoring
US7392043B2 (en) 2003-04-17 2008-06-24 Ntt Docomo, Inc. API system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework
US20040209608A1 (en) 2003-04-17 2004-10-21 Ntt Docomo, Inc. API system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework
US20050010821A1 (en) 2003-04-29 2005-01-13 Geoffrey Cooper Policy-based vulnerability assessment
US20040225887A1 (en) 2003-05-08 2004-11-11 O'neil Douglas R. Centralized authentication system
US7392543B2 (en) 2003-06-30 2008-06-24 Symantec Corporation Signature extraction system and method
US7356835B2 (en) 2003-08-26 2008-04-08 Mitel Networks Corporation Security monitor for PDA attached telephone
US7472422B1 (en) 2003-09-10 2008-12-30 Symantec Corporation Security management system including feedback and control
US20050091308A1 (en) 2003-09-29 2005-04-28 Peter Bookman Mobility device
US20050076246A1 (en) 2003-10-01 2005-04-07 Singhal Tara Chand Method and apparatus for network security using a router based authentication system
US20050130627A1 (en) 2003-11-26 2005-06-16 Benoit Calmels Authentication between a cellular phone and an access point of a short-range network
US20050138413A1 (en) 2003-12-11 2005-06-23 Richard Lippmann Network security planning architecture
US20050138395A1 (en) 2003-12-18 2005-06-23 Benco David S. Network support for mobile handset anti-virus protection
US20050138450A1 (en) 2003-12-19 2005-06-23 Cheng-Hsueh Hsieh Apparatus and method for power performance monitors for low-power program tuning
US20050186954A1 (en) 2004-02-20 2005-08-25 Tom Kenney Systems and methods that provide user and/or network personal data disabling commands for mobile devices
US20050197099A1 (en) 2004-03-08 2005-09-08 Lan-Ver Technologies Solutions Ltd. Cellular device security apparatus and method
US7991854B2 (en) 2004-03-19 2011-08-02 Microsoft Corporation Dynamic session maintenance for mobile computing devices
US20050282533A1 (en) 2004-03-22 2005-12-22 Vadim Draluk Method and apparatus for dynamic extension of device management tree data model on a mobile
US20070214504A1 (en) 2004-03-30 2007-09-13 Paolo Milani Comparetti Method And System For Network Intrusion Detection, Related Network And Computer Program Product
US20050221800A1 (en) 2004-03-31 2005-10-06 Jackson Riley W Method for remote lockdown of a mobile computer
US7525541B2 (en) 2004-04-05 2009-04-28 Actuality Systems, Inc. Data processing for three-dimensional displays
US20050227669A1 (en) 2004-04-08 2005-10-13 Ixi Mobile (R&D) Ltd. Security key management system and method in a mobile communication network
WO2005101789A1 (en) 2004-04-14 2005-10-27 Gurunath Samir Kalekar A system for real-time network based vulnerability assessment of a host/device
US20050254654A1 (en) 2004-04-19 2005-11-17 The Boeing Company Security state vector for mobile network platform
US7783281B1 (en) 2004-04-22 2010-08-24 Sprint Spectrum L.P. Method and system for securing a mobile device
US20050278777A1 (en) 2004-06-14 2005-12-15 Hackerproof Security, Inc. Method and system for enforcing secure network connection
US20060026283A1 (en) 2004-07-30 2006-02-02 Trueba Luis Ruben Z System and method for updating software on a computer
US20080208950A1 (en) 2004-08-19 2008-08-28 Sk Telecom Co., Ltd. Method and Apparatus for Integrating and Managing Information of Mobile Terminal
US20080276111A1 (en) 2004-09-03 2008-11-06 Jacoby Grant A Detecting Software Attacks By Monitoring Electric Power Consumption Patterns
US20070016955A1 (en) 2004-09-24 2007-01-18 Ygor Goldberg Practical threat analysis
US20060080680A1 (en) 2004-10-12 2006-04-13 Majid Anwar Platform independent dynamic linking
US8031657B2 (en) 2004-10-29 2011-10-04 Skyhook Wireless, Inc. Server for updating location beacon database
US7305245B2 (en) 2004-10-29 2007-12-04 Skyhook Wireless, Inc. Location-based services that choose location algorithms based on number of detected access points within range of user device
US20060095454A1 (en) 2004-10-29 2006-05-04 Texas Instruments Incorporated System and method for secure collaborative terminal identity authentication between a wireless communication device and a wireless operator
US7403762B2 (en) 2004-10-29 2008-07-22 Skyhook Wireless, Inc. Method and system for building a location beacon database
US7769396B2 (en) 2004-10-29 2010-08-03 Skyhook Wireless, Inc. Location-based services that choose location algorithms based on number of detected access points within range of user device
US7818017B2 (en) 2004-10-29 2010-10-19 Skyhook Wireless, Inc. Location-based services that choose location algorithms based on number of detected wireless signal stations within range of user device
US7433694B2 (en) 2004-10-29 2008-10-07 Skyhook Wireless, Inc. Location beacon database
US7414988B2 (en) 2004-10-29 2008-08-19 Skyhook Wireless, Inc. Server for updating location beacon database
WO2006110181A2 (en) 2004-10-29 2006-10-19 Skyhook Wireless, Inc. Location beacon database and server, method of building location beacon database, and location based service using same
US20060101518A1 (en) 2004-11-05 2006-05-11 Schumaker Troy T Method to generate a quantitative measurement of computer security vulnerabilities
US20060130145A1 (en) 2004-11-20 2006-06-15 Choi Byeong C System and method for analyzing malicious code protocol and generating harmful traffic
US20060150256A1 (en) 2004-12-03 2006-07-06 Whitecell Software Inc. A Delaware Corporation Secure system for allowing the execution of authorized computer program code
US20060150238A1 (en) 2005-01-04 2006-07-06 Symbol Technologies, Inc. Method and apparatus of adaptive network policy management for wireless mobile computers
US7397424B2 (en) 2005-02-03 2008-07-08 Mexens Intellectual Property Holding, Llc System and method for enabling continuous geographic location estimation for wireless computing devices
US7696923B2 (en) 2005-02-03 2010-04-13 Mexens Intellectual Property Holding Llc System and method for determining geographic location of wireless computing devices
US20060179485A1 (en) 2005-02-09 2006-08-10 Gary Longsine Intrusion handling system and method for a packet network with dynamic network address utilization
US7474897B2 (en) 2005-02-22 2009-01-06 Skyhook Wireless, Inc. Continuous data optimization by filtering and positioning systems
US7493127B2 (en) 2005-02-22 2009-02-17 Skyhook Wireless, Inc. Continuous data optimization of new access points in positioning systems
WO2007081356A3 (en) 2005-02-22 2008-01-10 Skyhook Wireless Inc Continuous data optimization in positioning system
US20060224742A1 (en) 2005-02-28 2006-10-05 Trust Digital Mobile data security system and methods
US7502620B2 (en) 2005-03-04 2009-03-10 Shyhook Wireless, Inc. Encoding and compression of a location beacon database
US20060217115A1 (en) 2005-03-18 2006-09-28 Cassett Tia M Methods and apparatus for monitoring configurable performance levels in a wireless device
US8135395B2 (en) 2005-03-18 2012-03-13 Qualcomm Incorporated Methods and apparatus for monitoring configurable performance levels in a wireless device
US20060236325A1 (en) 2005-03-21 2006-10-19 Rao Bindu R Mobile device client
US7809366B2 (en) 2005-03-21 2010-10-05 Hewlett-Packard Development Company, L.P. Mobile device client
US20080046557A1 (en) 2005-03-23 2008-02-21 Cheng Joseph C Method and system for designing, implementing, and managing client applications on mobile devices
US20070090954A1 (en) 2005-04-14 2007-04-26 Kevin Mahaffey RFID security system and methods
US20060253584A1 (en) 2005-05-03 2006-11-09 Dixon Christopher J Reputation of an entity associated with a content item
US20060253205A1 (en) 2005-05-09 2006-11-09 Michael Gardiner Method and apparatus for tabular process control
US20060277408A1 (en) 2005-06-03 2006-12-07 Bhat Sathyanarayana P System and method for monitoring and maintaining a wireless device
US20060294582A1 (en) 2005-06-28 2006-12-28 Symbol Technologies, Inc. Mobility policy manager for mobile computing devices
US20070016953A1 (en) 2005-06-30 2007-01-18 Prevx Limited Methods and apparatus for dealing with malware
US20070015519A1 (en) 2005-07-12 2007-01-18 Qwest Communications International Inc. User defined location based notification for a mobile communications device systems and methods
US7907966B1 (en) 2005-07-19 2011-03-15 Aol Inc. System and method for cross-platform applications on a wireless phone
US20070021112A1 (en) 2005-07-21 2007-01-25 Sun Microsystems, Inc. Method and system for ensuring mobile data security
US20070038677A1 (en) 2005-07-27 2007-02-15 Microsoft Corporation Feedback-driven malware detector
US20070028095A1 (en) 2005-07-28 2007-02-01 Allen David L Security certificate management
US20070028303A1 (en) 2005-07-29 2007-02-01 Bit 9, Inc. Content tracking in a network security system
US20070028304A1 (en) 2005-07-29 2007-02-01 Bit 9, Inc. Centralized timed analysis in a network security system
US7304570B2 (en) 2005-08-10 2007-12-04 Scenera Technologies, Llc Methods, systems, and computer program products for providing context-based, hierarchical security for a mobile device
US20070050471A1 (en) 2005-08-31 2007-03-01 Microsoft Corporation Portable Remoting Component With A Scaleable Feature Set
US7397434B2 (en) 2005-09-16 2008-07-08 Samsung Electro-Mechanics Co., Ltd. Built-in antenna module of wireless communication terminal
GB2430588B (en) 2005-09-20 2010-03-24 Alireza Mousavi Khalkhali Communication system and method
US20070089165A1 (en) 2005-10-15 2007-04-19 Huawei Technologies Co. Ltd. Method and System for Network Security Control
US20120259954A1 (en) 2005-11-21 2012-10-11 Limelight Networks, Inc. Domain name resolution resource allocation
US20070154014A1 (en) 2005-12-30 2007-07-05 Selim Aissi Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel
US20070174472A1 (en) 2006-01-20 2007-07-26 Verimatrix, Inc. Network security system and method
US20070248047A1 (en) 2006-01-31 2007-10-25 Peter Shorty Home electrical device control within a wireless mesh network
US20070186282A1 (en) 2006-02-06 2007-08-09 Microsoft Corporation Techniques for identifying and managing potentially harmful web traffic
US20070190995A1 (en) 2006-02-13 2007-08-16 Nokia Corporation Remote control of a mobile device
US7471954B2 (en) 2006-02-24 2008-12-30 Skyhook Wireless, Inc. Methods and systems for estimating a user position in a WLAN positioning system based on user assigned access point locations
US7685132B2 (en) 2006-03-15 2010-03-23 Mog, Inc Automatic meta-data sharing of existing media through social networking
US20100064341A1 (en) 2006-03-27 2010-03-11 Carlo Aldera System for Enforcing Security Policies on Mobile Communications Devices
US20100240419A1 (en) 2006-03-28 2010-09-23 Kyocera Corporation Mobile Terminal and Functional Operation Control Method of the Same
US20070240218A1 (en) * 2006-04-06 2007-10-11 George Tuvell Malware Detection System and Method for Mobile Platforms
US20070240222A1 (en) * 2006-04-06 2007-10-11 George Tuvell System and Method for Managing Malware Protection on Mobile Devices
US20070240217A1 (en) 2006-04-06 2007-10-11 George Tuvell Malware Modeling Detection System And Method for Mobile Platforms
US20070240221A1 (en) * 2006-04-06 2007-10-11 George Tuvell Non-Signature Malware Detection System and Method for Mobile Platforms
US20070250627A1 (en) 2006-04-21 2007-10-25 May Robert A Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer
US8087082B2 (en) 2006-04-29 2011-12-27 Ironport Systems, Inc. Apparatus for filtering server responses
US7916661B2 (en) 2006-05-08 2011-03-29 Skyhook Wireless, Inc. Estimation of position using WLAN access point radio propagation characteristics in a WLAN positioning system
US7515578B2 (en) 2006-05-08 2009-04-07 Skyhook Wireless, Inc. Estimation of position using WLAN access point radio propagation characteristics in a WLAN positioning system
US7551929B2 (en) 2006-05-08 2009-06-23 Skyhook Wireless, Inc. Estimation of speed and direction of travel in a WLAN positioning system using multiple position estimations
US8090386B2 (en) 2006-05-08 2012-01-03 Skyhook Wireless, Inc. Estimation of speed and direction of travel in a WLAN positioning system
US7551579B2 (en) 2006-05-08 2009-06-23 Skyhook Wireless, Inc. Calculation of quality of wlan access point characterization for use in a wlan positioning system
US8014788B2 (en) 2006-05-08 2011-09-06 Skyhook Wireless, Inc. Estimation of speed of travel using the dynamic signal strength variation of multiple WLAN access points
US7835754B2 (en) 2006-05-08 2010-11-16 Skyhook Wireless, Inc. Estimation of speed and direction of travel in a WLAN positioning system
US7809353B2 (en) 2006-05-18 2010-10-05 Research In Motion Limited Automatic security action invocation for mobile communications device
US20070293263A1 (en) 2006-06-14 2007-12-20 Hossein Eslambolchi Method and apparatus for providing multi-system cellular communications
US20080140767A1 (en) 2006-06-14 2008-06-12 Prasad Rao Divitas description protocol and methods therefor
US20070297610A1 (en) 2006-06-23 2007-12-27 Microsoft Corporation Data protection for a mobile device
US7768963B2 (en) 2006-07-07 2010-08-03 Skyhook Wireless, Inc. System and method of improving sampling of WLAN packet information to improve estimates of Doppler frequency of a WLAN positioning device
WO2008007111A1 (en) 2006-07-14 2008-01-17 Vodaphone Group Plc Telecommunications device security
US20080028470A1 (en) 2006-07-25 2008-01-31 Mark Remington Systems and Methods for Vulnerability Detection and Scoring with Threat Assessment
US20080046369A1 (en) 2006-07-27 2008-02-21 Wood Charles B Password Management for RSS Interfaces
US20080047007A1 (en) 2006-08-18 2008-02-21 Microsoft Corporation Network security page
US20080070495A1 (en) 2006-08-18 2008-03-20 Michael Stricklen Mobile device management
US20080049653A1 (en) 2006-08-28 2008-02-28 Mustafa Demirhan Battery level based configuration of a mobile station by a base station
US20080065507A1 (en) 2006-09-12 2008-03-13 James Morrison Interactive digital media services
US20080109871A1 (en) 2006-09-13 2008-05-08 Richard Jacobs Policy management
US20080127334A1 (en) 2006-09-14 2008-05-29 Computer Associates Think, Inc. System and method for using rules to protect against malware
US7856373B2 (en) 2006-09-14 2010-12-21 Shah Ullah Targeting content to network-enabled devices based upon stored profiles
US20080072329A1 (en) 2006-09-14 2008-03-20 Interdigital Technology Corporation Method and system for enhancing flow of behavior metrics and evaluation of security of a node
US20080127171A1 (en) 2006-09-15 2008-05-29 Altiris, Inc. Method and System for Creating and Executing Generic Software Packages
US20080127336A1 (en) 2006-09-19 2008-05-29 Microsoft Corporation Automated malware signature generation
US20080127179A1 (en) 2006-09-25 2008-05-29 Barrie Jon Moss System and apparatus for deployment of application and content to different platforms
US20080200160A1 (en) 2006-09-28 2008-08-21 Dudley Fitzpatrick Apparatuses, Methods and Systems for Ambiguous Code-Triggered Information Querying and Serving on Mobile Devices
US20120303735A1 (en) 2006-10-05 2012-11-29 Limelight Networks, Inc. Domain name service resolver
US20080086776A1 (en) 2006-10-06 2008-04-10 George Tuvell System and method of malware sample collection on mobile networks
US20080086773A1 (en) 2006-10-06 2008-04-10 George Tuvell System and method of reporting and visualizing malware on mobile networks
US8259568B2 (en) 2006-10-23 2012-09-04 Mcafee, Inc. System and method for controlling mobile device access to a network
US20080148381A1 (en) 2006-10-30 2008-06-19 Jeffrey Aaron Methods, systems, and computer program products for automatically configuring firewalls
US7856234B2 (en) 2006-11-07 2010-12-21 Skyhook Wireless, Inc. System and method for estimating positioning error within a WLAN-based positioning system
US8019357B2 (en) 2006-11-07 2011-09-13 Skyhook Wireless, Inc. System and method for estimating positioning error within a WLAN-based positioning system
WO2008057737A2 (en) 2006-11-07 2008-05-15 Skyhook Wireless, Inc. System and method for estimating positioning error within a wlan-based positioning system
US8108555B2 (en) 2006-11-09 2012-01-31 Yahoo! Inc. System and method for transmission of DNS beacons
US20080178294A1 (en) 2006-11-27 2008-07-24 Guoning Hu Wireless intrusion prevention system and method
US20080134281A1 (en) 2006-11-30 2008-06-05 Mcafee, Inc. Method and system for enhanced wireless network security
US20080132218A1 (en) 2006-11-30 2008-06-05 Yuval Samson Method and Apparatus for Starting Applications
US8195196B2 (en) 2006-12-29 2012-06-05 United States Cellular Corporation Mobility based service in wireless environment
US8126456B2 (en) 2007-01-17 2012-02-28 Eagency, Inc. Mobile communication device monitoring systems and methods
US20080172746A1 (en) 2007-01-17 2008-07-17 Lotter Robert A Mobile communication device monitoring systems and methods
US20080181116A1 (en) 2007-01-17 2008-07-31 Richard Thomas Kavanaugh Quality of service application programming interface over socket
US20080196104A1 (en) 2007-02-09 2008-08-14 George Tuvell Off-line mms malware scanning system and method
US20080307243A1 (en) 2007-02-16 2008-12-11 Lee Michael M Anticipatory Power Management for Battery-Powered Electronic Device
US20080209557A1 (en) 2007-02-28 2008-08-28 Microsoft Corporation Spyware detection mechanism
US20080318562A1 (en) 2007-03-02 2008-12-25 Aegis Mobility, Inc. System and methods for monitoring the context associated with a mobile communication device
US8364785B2 (en) 2007-03-12 2013-01-29 Citrix Systems, Inc. Systems and methods for domain name resolution interception caching
US20080235801A1 (en) * 2007-03-20 2008-09-25 Microsoft Corporation Combining assessment models and client targeting to identify network security vulnerabilities
US20090248623A1 (en) 2007-05-09 2009-10-01 The Go Daddy Group, Inc. Accessing digital identity related reputation data
US20080293396A1 (en) 2007-05-23 2008-11-27 Robert John Barnes Integrating Mobile Device Based Communication Session Recordings
US8127358B1 (en) * 2007-05-30 2012-02-28 Trend Micro Incorporated Thin client for computer security applications
US20090199298A1 (en) 2007-06-26 2009-08-06 Miliefsky Gary S Enterprise security management for network equipment
US7774637B1 (en) 2007-09-05 2010-08-10 Mu Dynamics, Inc. Meta-instrumentation for security analysis
US20130023209A1 (en) 2007-11-14 2013-01-24 Blaze Mobile, Inc. Mobile communication device secure near field communication payment transactions with authentication
US20090205016A1 (en) 2007-12-10 2009-08-13 Milas Brian T Policy enforcement using esso
US20090172227A1 (en) 2007-12-27 2009-07-02 Igt Serial advanced technology attachment write protection: mass storage data protection device
US8261351B1 (en) 2008-01-22 2012-09-04 F5 Networks, Inc. DNS flood protection platform for a network
US20090205047A1 (en) 2008-02-08 2009-08-13 Guy Podjarny Method and Apparatus for Security Assessment of a Computing Platform
US20090293125A1 (en) * 2008-05-21 2009-11-26 Symantec Corporation Centralized Scanner Database With Qptimal Definition Distribution Using Network Queries
US20110171923A1 (en) 2008-05-22 2011-07-14 At&T Mobility Ii Llc Designation Of Cellular Broadcast Message Identifiers For The Commercial Mobile Alert System
US8089399B2 (en) 2008-06-06 2012-01-03 Skyhook Wireless, Inc. System and method for refining a WLAN-PS estimated location using satellite measurements in a hybrid positioning system
US8089398B2 (en) 2008-06-06 2012-01-03 Skyhook Wireless, Inc. Methods and systems for stationary user detection in a hybrid positioning system
US7999742B2 (en) 2008-06-06 2011-08-16 Skyhook Wireless, Inc. System and method for using a satellite positioning system to filter WLAN access points in a hybrid positioning system
US8054219B2 (en) 2008-06-06 2011-11-08 Skyhook Wireless, Inc. Systems and methods for determining position using a WLAN-PS estimated position as an initial position in a hybrid positioning system
US8266324B2 (en) 2008-06-12 2012-09-11 International Business Machines Corporation Domain specific domain name service
US20100019731A1 (en) 2008-07-24 2010-01-28 Sean Connolly Device and Method for Instantaneous Load Reduction Configuration to Prevent Under Voltage Condition
US20120084864A1 (en) 2008-10-21 2012-04-05 Lookout, Inc. System and method for a mobile cross-platform software system
WO2010048220A1 (en) 2008-10-21 2010-04-29 Flexilis Inc. System and method for attack and malware prevention
US20100100959A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. System and method for monitoring and analyzing multiple interfaces and multiple protocols
US20110145920A1 (en) 2008-10-21 2011-06-16 Lookout, Inc System and method for adverse mobile application identification
US20100100939A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. Secure mobile platform system
US20110047597A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for security data collection and analysis
US20110047620A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
US20120042382A1 (en) 2008-10-21 2012-02-16 Lookout, Inc. System and method for monitoring and analyzing multiple interfaces and multiple protocols
US20100100591A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. System and method for a mobile cross-platform software system
US20120233695A1 (en) 2008-10-21 2012-09-13 Lookout, Inc., A California Corporation System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment
US20110047594A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for mobile communication device application advisement
US20100100963A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. System and method for attack and malware prevention
US20120060222A1 (en) 2008-10-21 2012-03-08 Lookout, Inc. Security status and information display system
WO2010048218A1 (en) 2008-10-21 2010-04-29 Flexilis Inc. Security status and information display system
US20100100964A1 (en) 2008-10-21 2010-04-22 Flexilis, Inc. Security status and information display system
US20100097494A1 (en) 2008-10-21 2010-04-22 Qualcomm Incorporated Multimode GPS-Enabled Camera
US20120084836A1 (en) 2008-10-21 2012-04-05 Lookout, Inc. Providing access levels to services based on mobile device security state
US20120096555A1 (en) 2008-10-21 2012-04-19 Lookout, Inc. System and method for attack and malware prevention
US20120110174A1 (en) 2008-10-21 2012-05-03 Lookout, Inc. System and method for a scanning api
US20130086682A1 (en) 2008-10-21 2013-04-04 Lookout, Inc., A California Corporation System and method for preventing malware on a mobile communication device
US8266288B2 (en) 2008-10-23 2012-09-11 International Business Machines Corporation Dynamic expiration of domain name service entries
US8121617B1 (en) 2008-12-09 2012-02-21 Lagrotta James Thomas Method of remotely locating a mobile device equipped with a radio receiver
US20100154032A1 (en) * 2008-12-12 2010-06-17 International Business Machines Corporation System and Method for Classification of Unwanted or Malicious Software Through the Identification of Encrypted Data Communication
US20110047033A1 (en) 2009-02-17 2011-02-24 Lookout, Inc. System and method for mobile device replacement
US20120196571A1 (en) 2009-02-17 2012-08-02 Lookout Inc. System and method for remotely-initiated audio communication
US20120188064A1 (en) 2009-02-17 2012-07-26 Lookout. Inc., a California Corporation System and method for remotely initiating playing of sound on a mobile device
US20100210240A1 (en) 2009-02-17 2010-08-19 Flexilis, Inc. System and method for remotely securing or recovering a mobile device
US20110241872A1 (en) 2009-02-17 2011-10-06 Lookout, Inc., A California Corporation Mobile device geolocation
US20100313270A1 (en) * 2009-06-05 2010-12-09 The Regents Of The University Of Michigan System and method for detecting energy consumption anomalies and mobile malware variants
US20100332593A1 (en) * 2009-06-29 2010-12-30 Igor Barash Systems and methods for operating an anti-malware network on a cloud computing platform
US20110119765A1 (en) 2009-11-18 2011-05-19 Flexilis, Inc. System and method for identifying and assessing vulnerabilities on a mobile communication device
US20120072569A1 (en) 2010-02-12 2012-03-22 Verizon Patent And Licensing, Inc. Failure system for domain name system client
US20110296510A1 (en) 2010-05-27 2011-12-01 Microsoft Corporation Protecting user credentials using an intermediary component
WO2012027588A1 (en) 2010-08-25 2012-03-01 Lookout, Inc. System and method for server-coupled malware prevention
US8346860B2 (en) 2010-10-08 2013-01-01 Lumi Technologies Limited Multi-phased and partitioned content preparation and delivery
US20130041974A1 (en) 2010-11-01 2013-02-14 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US20120124239A1 (en) 2010-11-17 2012-05-17 Hola, Inc. Method and system for increasing speed of domain name system resolution within a computing device
US20120179801A1 (en) 2011-01-07 2012-07-12 Michael Luna System and method for reduction of mobile network traffic used for domain name system (dns) queries
US8356080B2 (en) 2011-04-19 2013-01-15 Seven Networks, Inc. System and method for a mobile device to use physical storage of another device for caching
US20120317233A1 (en) 2011-06-13 2012-12-13 International Business Machines Corporation Mobile web app infrastructure
US20120324568A1 (en) 2011-06-14 2012-12-20 Lookout, Inc., A California Corporation Mobile web protection
US20120324094A1 (en) 2011-06-14 2012-12-20 Lookout, Inc., A California Corporation Mobile device dns optimization
US20120324076A1 (en) 2011-06-14 2012-12-20 Lodgenet Interactive Corporation Method and apparatus for pairing a mobile device to an output device
US20130047034A1 (en) 2011-08-17 2013-02-21 Lookout, Inc., A California Corporation System and method for mobile device push communications

Non-Patent Citations (92)

* Cited by examiner, † Cited by third party
Title
"Android Cloud to Device Messaging Framework," Google Code Labs, available at , retrieved Sep. 14, 2011, 9 pages.
"Android Cloud to Device Messaging Framework," Google Code Labs, available at <http://code.google.com/android/c2dm/>, retrieved Sep. 14, 2011, 9 pages.
"Berry Locator", 2007, Mobireport LLC, 1 page.
"BlackBerry Push Service Overview," Dec. 16, 2009, available at , retrieved Sep. 14, 2011, 21 pages.
"BlackBerry Push Service Overview," Dec. 16, 2009, available at <http://us.blackberry.com/developers/platform/pushapi.jsp#tab—tab—resources>, retrieved Sep. 14, 2011, 21 pages.
"eSoft unveils SiteFilter 3.0 for OEMs," Infosecurity, Mar. 23, 2010, available at , retrieved Mar. 30, 2012, 2 pages.
"eSoft unveils SiteFilter 3.0 for OEMs," Infosecurity, Mar. 23, 2010, available at <http://www.infosecurity-magazine.com/view/8273/esoft-unveils-sitefilter-30-for-oems/>, retrieved Mar. 30, 2012, 2 pages.
"Firefox", Wikipedia, Jul. 20, 2011, available at <http://en.wikipedia.org/wiki/firefox> Retrieved Aug. 10, 2011, 37 Pages.
"Firefox", Wikipedia, Jul. 20, 2011, available at Retrieved Aug. 10, 2011, 37 Pages.
"F-Secure Mobile Security for S60 Users Guide", F-Secure Corporation 2009, pp. 1-34.
"Get the Physical Location of Wireless Router From its MAC Address (BSSID)," Coderrr, Sep. 10, 2008, available at <http://coderrr.wordpress.com/2008/09/10/get-the-physical-location-of-wireless-router-from-its-mac-address-bssid/>, retrieved Mar. 30, 2012, 13 pages.
"Hooking-Wikipedia, the Free Encyclopedia," Internet Archive Wayback Machine, Apr. 13, 2010, available at , retrieved Mar. 30, 2012, 6 pages.
"Hooking—Wikipedia, the Free Encyclopedia," Internet Archive Wayback Machine, Apr. 13, 2010, available at <http://web.archive.org/web/20100415154752/http://en.wikipedia.org/wiki/Hooking>, retrieved Mar. 30, 2012, 6 pages.
"Java Virtual Machine", Wikipedia, Aug. 7, 2011, Available at <http://en.wikipedia.org/wiki/Java—Virtual—Machine> Retrieved Aug. 10, 2011, 7 pages.
"Java Virtual Machine", Wikipedia, Aug. 7, 2011, Available at Retrieved Aug. 10, 2011, 7 pages.
"Kaspersky Mobile Security", Kaspersky Lab 1997-2007, 1 page.
"Kaspersky Mobile Security", Kaspersky Lab 2008, available at <http://www.kaspersky.com/kaspersky—mobile—security> Retrieved Sep. 11, 2008, 2 Pages.
"Kaspersky Mobile Security", Kaspersky Lab 2008, available at Retrieved Sep. 11, 2008, 2 Pages.
"Norton Smartphone Security",Symantec, 2007, Available at <http://www.symantec.com/norton/smartphone-security> Retrieved Oct. 21, 2008, 2 pages.
"Norton Smartphone Security",Symantec, 2007, Available at Retrieved Oct. 21, 2008, 2 pages.
"PhoneBak PDA Phone Anti-theft software for your PDA phone", 2007, Bak2u Pte Ltd (Singapore) pp. 1-4.
"PhoneBak: Mobile Phone Theft Recovery Software", 2007, Westin Tech.
"Pidgin The Universal Chat Client," Pidign, available at , retrieved Sep. 14, 2011, 14 pages.
"Pidgin The Universal Chat Client," Pidign, available at <http://www.pidgin.im/>, retrieved Sep. 14, 2011, 14 pages.
"Sprint-Report that your device is lost or stolen", web page downloaded Apr. 11, 2013 from http://support.sprint.com/support/article/Report-that-your-device-is-lost-or-stolen/case-ba416758-20090629-143222.
"Symantec Endpoint Protection", Symantec, 2008, Available at , 6 pages.
"Symantec Endpoint Protection", Symantec, 2008, Available at <http://www.symantec.com/business/products/family.jsp?familyid=endpointsecurity>, 6 pages.
"Symantec Mobile Security Suite for Windows Mobile", Symantec, 2008 Available at <http://www.symantec.com/business/products/sysreq.jsp?pcid=2241&pvid=mobile-security-suite-1>, 5 pages.
"TippingPoint Security Management System (SMS)", TippingPoint, Available at , 2 pages.
"TippingPoint Security Management System (SMS)", TippingPoint, Available at <http://www.tippingpoint.com/products—sms.html>, 2 pages.
"Twilio Cloud Communications Web Service API for Building Voice and SMS Applications," Twilio available at , retrieved Sep. 14, 2011, 12 pages.
"Twilio Cloud Communications Web Service API for Building Voice and SMS Applications," Twilio available at <http://www.twilio.com>, retrieved Sep. 14, 2011, 12 pages.
"Understanding Direct Push," Microsoft, Feb. 18, 2009, available at , retrieved Mar. 30, 2012, 3 pages.
"Understanding Direct Push," Microsoft, Feb. 18, 2009, available at <http://technet.microsoft.com/en-us/library/aa997252(v=exchg.80).aspx>, retrieved Mar. 30, 2012, 3 pages.
"Urban Airship: Powering Modern Mobile," available at , retrieved Sep. 16, 2011, 14 pages.
"Urban Airship: Powering Modern Mobile," available at <http://urbanairship.com/products/>, retrieved Sep. 16, 2011, 14 pages.
"Virgin Media-Phone Lost or Stolen?", web page downloaded Apr. 11, 2013 from http://www.virginmobile.com/vm/ukCoverage.do?contentId=insurance.howdoi.sm283.
"zVeloDB URL Database," zVelo, available at , retrieved Mar. 30, 2012, 2 pages.
"zVeloDB URL Database," zVelo, available at <https://zvelo.com/technology/zvelodb-url-database>, retrieved Mar. 30, 2012, 2 pages.
Amazon.com: Mining the Web Discovering Knowledge from Hypertext Data (9781558607545): Soumen Chakrabarti: Books, Amazon available at , retrieved Jun. 7, 2012, pp. 1-7.
Amazon.com: Mining the Web Discovering Knowledge from Hypertext Data (9781558607545): Soumen Chakrabarti: Books, Amazon available at <http://www.amazon.com/exec/obidos/ASIN/1558607544/>, retrieved Jun. 7, 2012, pp. 1-7.
Clickatell, available at , retrieved Sep. 14, 2011, 11 pages.
Clickatell, available at <http://www.clickatell.com>, retrieved Sep. 14, 2011, 11 pages.
Diligenti, M., et al., Focused Crawling Using Context Graphs:, Proceedings of the 26th VLDB Conference, Cairo, Egypt, 2000, pp. 1-8.
Dolcourt, Jessica Dashwire: Manage Your Cell Phone on the Web, News Blog, with Jessica Dolocourt, Oct. 29, 2007, 5:00am PDT <http://news.cnet.com/8301-10784—3-9805657-7.html> retrieved Jun. 15, 2009; pp. 1-3.
Dolcourt, Jessica Dashwire: Manage Your Cell Phone on the Web, News Blog, with Jessica Dolocourt, Oct. 29, 2007, 5:00am PDT retrieved Jun. 15, 2009; pp. 1-3.
Fette, Ian "Understanding Phishing and Malware Protection in Google Chrome," The Chromium Blog, Nov. 14, 2008, available at , retrieved May 17, 2011, 6 pages.
Fette, Ian "Understanding Phishing and Malware Protection in Google Chrome," The Chromium Blog, Nov. 14, 2008, available at <http://blog.chromium.org/2008/11/understanding-phishing-and-malware.htm>, retrieved May 17, 2011, 6 pages.
Fisher, Oliver "Malware? We Don't Need No Stinking Malware!," Google, Oct. 24, 2008, available at , retrieved Mar. 30 2012, 11 pages.
Fisher, Oliver "Malware? We Don't Need No Stinking Malware!," Google, Oct. 24, 2008, available at <http://googlewebmastercentral.blogspot.com/2008/10/malware-we-dont-need-no-stinking.html>, retrieved Mar. 30 2012, 11 pages.
Grafio "Stay Secure", Opera Software, Sep. 29, 2008, Available at <http://widgets.opera.com/widget/4495> Retrieved Oct. 21, 2008, 4 pages.
Grafio "Stay Secure", Opera Software, Sep. 29, 2008, Available at Retrieved Oct. 21, 2008, 4 pages.
Jefferies, Charles P. "Webroot AntiVirus 2010 With Spy Sweeper Review," Notebook Review, Jun. 22, 2010, available at <http:// http://www.notebookreview.com/default.asp?newsID=5700&review=Webroot+AntiVirus+2010+With+Spy+Sweeper+Review>, retrieved May 18, 2011, 3 pages.
Keane, Justin K. "Using the Google Safe Browsing API from PHP," Mad Irish, Aug. 7, 2009, available at , retrieved Mar. 30, 2012, 5 pages.
Keane, Justin K. "Using the Google Safe Browsing API from PHP," Mad Irish, Aug. 7, 2009, available at <http://www.madirish.net/node/245>, retrieved Mar. 30, 2012, 5 pages.
Kincaid, Jason "Urban Airship Brings Easy Push Notifications to Android," TechCrunch, Aug. 10, 2010, available at , retrieved Jun. 16, 2011, 5 pages.
Kincaid, Jason "Urban Airship Brings Easy Push Notifications to Android," TechCrunch, Aug. 10, 2010, available at <http://techcrunch.com/2010/08/10/urban-airship-brings-easy-push-notifications-to-android/>, retrieved Jun. 16, 2011, 5 pages.
Lifehacker: "VirusTotal Uploader 2.0 Instantly Scans Files for Viruses Against 41 AV Apps," Dec. 15, 2009, pp. 1-1, XP055093169, Retrieved from the Internet: URL:http://lifehacker.com/5427159/virustotal-uploader-20-instantly-scans-files-for-viruses-against-41-av-apps [retrieved on Dec. 12, 2013].
McAfee, Internet Archive, Way Back Machine, available at <http://web.archive.org/web/20080611095201/www.qualys.com/solutions/vulnerability—management>retrieved Feb. 24, 2011, 1 page.
McAfee, Internet Archive, Way Back Machine, available at retrieved Feb. 24, 2011, 1 page.
Mytton, David "How to Build an Apple Push Notification Provider Server (Tutorial)," Server Density, Jul. 10, 2009, available at <http://blog.serverdensity.com/2009/07/10/how-to-build-an-apple-push-notification-provider-server-tutorial/>, retrieved Apr. 2, 2012, 33 pages.
PagerDuty, available at , retrieved Sep. 14, 2011, 23 pages.
PagerDuty, available at <http://www.pagerduty.com>, retrieved Sep. 14, 2011, 23 pages.
PCT International Preliminary Report on Patentability for PCT/US2011/049182; Mailed on Mar. 7, 2013; pp. 1-9.
PCT International Search Report and Written Opinion of the International Searching Authority for PCT/US2009/061370; Mailed on Dec. 14, 2009; pp. 1-12.
PCT International Search Report and Written Opinion of the International Searching Authority for PCT/US2009/061372; Mailed on Mar. 24, 2010; pp. 1-16.
PCT International Search Report and Written Opinion of the International Searching Authority for PCT/US2011/049182; Mailed on Dec. 23, 2011; pp. 1-11.
Pogue, David "Simplifying the Lives of Web Users," The New York Times, Aug. 18, 2010, available at , retrieved May 17, 2011, 5 pages.
Pogue, David "Simplifying the Lives of Web Users," The New York Times, Aug. 18, 2010, available at <http://www.nytimes.com/2010/08/19/technology/personaltech/19pogue.html>, retrieved May 17, 2011, 5 pages.
Prey, available at , retrieved Jan. 10, 2012, 4 pages.
Prey, available at <http://preyproject.com/>, retrieved Jan. 10, 2012, 4 pages.
Qualys, "Executive Dashboard," Internet Archive, Way back Machine, availble at <http://web.archive.org/web20080507161417/www.qualys.com/products/screens/?screen=Executive + Dashboard>, retrieved Feb. 23, 2011, 1 page.
Qualys, "Vulnerability Management," Internet Archive, Way Back Machine, available at <http://web.archive.org/web/20080611095201/www.qualys.com/solutions/vulnerability—management> Retrieved Feb. 24, 2011, 1 page.
Qualys, "Vulnerability Management," Internet Archive, Way Back Machine, available at Retrieved Feb. 24, 2011, 1 page.
Real world Computing, Jun. 16, 2008 (PC Pro), pp. 1-2.
Reardon, Marguerite "Mobile Phones That Track Your Buddies," Cnet, Nov. 14, 2006, available at , retrieved Mar. 30, 2012, 4 pages.
Reardon, Marguerite "Mobile Phones That Track Your Buddies," Cnet, Nov. 14, 2006, available at <http://news.cnet.com/Mobile-phones-that-track-your-buddies/2100-1039—3-6135209.html>, retrieved Mar. 30, 2012, 4 pages.
Richardson, Alexis "Introduction to RabbitMQ," Google UK, Sep. 25, 2008, available at , retrieved Mar. 30, 2012, 33 pages.
Richardson, Alexis "Introduction to RabbitMQ," Google UK, Sep. 25, 2008, available at <http://www.rabbitmq.com/resources/google-tech-talk-final/alexis-google-rabbitmq-talk.pdf>, retrieved Mar. 30, 2012, 33 pages.
Simone, "Playing with ActiveMQ," Mostly Useless, Dec. 27, 2007, available at , retrieved Mar. 30, 2012, 6 pages.
Simone, "Playing with ActiveMQ," Mostly Useless, Dec. 27, 2007, available at <http://www.mostly-useless.com/blog/2007/12/27/playing-with-activemq/>, retrieved Mar. 30, 2012, 6 pages.
Sprint Nextel, Mobile Locator, Internet Archive, Way Back Machine, available at http://web.archive.org/web/20080901070835/http://www.nextel.com/en/solutions/gps/mobile-locator.shtml, 2 pages, Retrieved Jan. 16, 2013.
Sprite Mobile, Sprite Backup, Internet Archive, Way Back Machine, available at http://web.archive.org/web/20080901220103/http://www.spritesoftware.com/?page-id=280, 4 pages, Retrieved Jan. 16, 2013.
Summerson, Cameron "5 Android Antivirus Apps Compared, Find Out Which Ones Are Worth Having!," Android Headlines, Mar. 8, 2011, available at <http://androidheadlines.com/2011/03/5-android-antivirus-apps-comapred-find-out-which-ones-are-worth-having.html>, retrieved Mar. 30, 2012, 9 pages.
Supplemental European Search Report and the European Search Opinion for EP 11820665.5 dated Jan. 2, 2014, pp. 1-8.
Teh, Joe, "Norton 360 Version 3.0 Review, "Mar. 9, 2009, Available at <http://techielobang-com/blog/2009/03109/norton-360-version-30-review/> Retrieved Feb. 23, 2011, 12 pages.
Teh, Joe, "Norton 360 Version 3.0 Review, "Mar. 9, 2009, Available at Retrieved Feb. 23, 2011, 12 pages.
Trillian, available at , retrieved Sep. 14, 2011, 24 pages.
Trillian, available at <http://www.trillian.im/>, retrieved Sep. 14, 2011, 24 pages.
Virus Total, VT Community, www.virustotal.com/index.html; Dated Dec. 16, 2011; 44 Pages.
Windows Update, Internet Archive, Way Back Machine, available at <http://web.archive.org/web/20071022193017/http://en.wikipedia.org/wiki/Windows—Update> Retrieved Feb. 23, 2011, 3 pages.
Windows Update, Internet Archive, Way Back Machine, available at Retrieved Feb. 23, 2011, 3 pages.

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150350045A1 (en) * 2013-01-07 2015-12-03 Beijing Qihoo Technology Company Limited Method and system for processing browser crash information
US9876696B2 (en) * 2013-01-07 2018-01-23 Beijing Qihoo Technology Company Limited Method and system for processing browser crash information
US9888022B2 (en) 2015-12-01 2018-02-06 International Business Machines Corporation Providing application-specific threat metrics
US10291641B2 (en) 2015-12-01 2019-05-14 International Business Machines Corporation Providing application-specific threat metrics
US10528734B2 (en) 2016-03-25 2020-01-07 The Mitre Corporation System and method for vetting mobile phone software applications
US11080399B2 (en) 2016-03-25 2021-08-03 The Mitre Corporation System and method for vetting mobile phone software applications
US10445486B2 (en) * 2016-12-08 2019-10-15 Alibaba Group Holding Limited Method and apparatus for authorized login
US20200042690A1 (en) * 2016-12-08 2020-02-06 Alibaba Group Holding Limited Method and apparatus for authorized login
US10795983B2 (en) * 2016-12-08 2020-10-06 Alibaba Group Holding Limited Method and apparatus for authorized login

Also Published As

Publication number Publication date
US20130086682A1 (en) 2013-04-04
US20110047620A1 (en) 2011-02-24
US20130117846A1 (en) 2013-05-09
US8752176B2 (en) 2014-06-10
US20120233695A1 (en) 2012-09-13
US8544095B2 (en) 2013-09-24
US20120290640A1 (en) 2012-11-15
US8745739B2 (en) 2014-06-03
US20140310770A1 (en) 2014-10-16
US8347386B2 (en) 2013-01-01
US9294500B2 (en) 2016-03-22

Similar Documents

Publication Publication Date Title
US9860263B2 (en) System and method for assessing data objects on mobile communications devices
US9344431B2 (en) System and method for assessing an application based on data from multiple devices
US9294500B2 (en) System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects
US9740852B2 (en) System and method for assessing an application to be installed on a mobile communications device
EP2609538B1 (en) System and method for server-coupled malware prevention
US8984628B2 (en) System and method for adverse mobile application identification
US9235704B2 (en) System and method for a scanning API
US9563749B2 (en) Comparing applications and assessing differences

Legal Events

Date Code Title Description
AS Assignment

Owner name: LOOKOUT, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MAHAFFEY, KEVIN PATRICK;BURGESS, JAMES DAVID;GOLOMBEK, DAVID;AND OTHERS;REEL/FRAME:030032/0314

Effective date: 20101102

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.)

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20181028

AS Assignment

Owner name: SILICON VALLEY BANK, CALIFORNIA

Free format text: SECURITY INTEREST;ASSIGNOR:LOOKOUT, INC.;REEL/FRAME:054475/0906

Effective date: 20201118

AS Assignment

Owner name: LOOKOUT, INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK (THE "BANK");REEL/FRAME:059909/0668

Effective date: 20220506